Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
24-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10Analysis
-
max time kernel
21s -
max time network
53s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 06:42
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@000.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Endermanch@7ev3n.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Endermanch@AnViPC2009.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Endermanch@Antivirus.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Endermanch@AntivirusPlatinum.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Endermanch@AntivirusPro2017.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Endermanch@BadRabbit.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Endermanch@Birele.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Endermanch@Cerber5.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Endermanch@CleanThis.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Endermanch@ColorBug.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Endermanch@DeriaLock.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Endermanch@Deskbottom.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Endermanch@DesktopPuzzle.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Endermanch@HMBlocker.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Endermanch@HappyAntivirus.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Endermanch@Illerka.C.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Endermanch@Koteyka2.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
Endermanch@LPS2019.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Endermanch@Movie.mpeg.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Endermanch@NavaShield.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
Endermanch@PCDefender.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Endermanch@PCDefenderv2.msi
Resource
win10v20201028
Behavioral task
behavioral28
Sample
Endermanch@PolyRansom.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Endermanch@PowerPoint.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
Endermanch@ProgramOverflow.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
Endermanch@RegistrySmart.exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Endermanch@SE2011.exe
Resource
win10v20201028
Errors
General
-
Target
Endermanch@000.exe
-
Size
6.7MB
-
MD5
f2b7074e1543720a9a98fda660e02688
-
SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca
-
SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
-
SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Endermanch@000.exedescription ioc process File opened (read-only) \??\J: Endermanch@000.exe File opened (read-only) \??\P: Endermanch@000.exe File opened (read-only) \??\X: Endermanch@000.exe File opened (read-only) \??\O: Endermanch@000.exe File opened (read-only) \??\Q: Endermanch@000.exe File opened (read-only) \??\R: Endermanch@000.exe File opened (read-only) \??\S: Endermanch@000.exe File opened (read-only) \??\V: Endermanch@000.exe File opened (read-only) \??\B: Endermanch@000.exe File opened (read-only) \??\G: Endermanch@000.exe File opened (read-only) \??\H: Endermanch@000.exe File opened (read-only) \??\N: Endermanch@000.exe File opened (read-only) \??\Y: Endermanch@000.exe File opened (read-only) \??\T: Endermanch@000.exe File opened (read-only) \??\A: Endermanch@000.exe File opened (read-only) \??\E: Endermanch@000.exe File opened (read-only) \??\F: Endermanch@000.exe File opened (read-only) \??\I: Endermanch@000.exe File opened (read-only) \??\K: Endermanch@000.exe File opened (read-only) \??\L: Endermanch@000.exe File opened (read-only) \??\M: Endermanch@000.exe File opened (read-only) \??\U: Endermanch@000.exe File opened (read-only) \??\W: Endermanch@000.exe File opened (read-only) \??\Z: Endermanch@000.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
Endermanch@000.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Endermanch@000.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Endermanch@000.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper Endermanch@000.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3996 taskkill.exe 2992 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
Endermanch@000.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" Endermanch@000.exe -
Suspicious use of AdjustPrivilegeToken 94 IoCs
Processes:
taskkill.exeEndermanch@000.exetaskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3996 taskkill.exe Token: SeShutdownPrivilege 3108 Endermanch@000.exe Token: SeCreatePagefilePrivilege 3108 Endermanch@000.exe Token: SeDebugPrivilege 2992 taskkill.exe Token: SeIncreaseQuotaPrivilege 2864 WMIC.exe Token: SeSecurityPrivilege 2864 WMIC.exe Token: SeTakeOwnershipPrivilege 2864 WMIC.exe Token: SeLoadDriverPrivilege 2864 WMIC.exe Token: SeSystemProfilePrivilege 2864 WMIC.exe Token: SeSystemtimePrivilege 2864 WMIC.exe Token: SeProfSingleProcessPrivilege 2864 WMIC.exe Token: SeIncBasePriorityPrivilege 2864 WMIC.exe Token: SeCreatePagefilePrivilege 2864 WMIC.exe Token: SeBackupPrivilege 2864 WMIC.exe Token: SeRestorePrivilege 2864 WMIC.exe Token: SeShutdownPrivilege 2864 WMIC.exe Token: SeDebugPrivilege 2864 WMIC.exe Token: SeSystemEnvironmentPrivilege 2864 WMIC.exe Token: SeRemoteShutdownPrivilege 2864 WMIC.exe Token: SeUndockPrivilege 2864 WMIC.exe Token: SeManageVolumePrivilege 2864 WMIC.exe Token: 33 2864 WMIC.exe Token: 34 2864 WMIC.exe Token: 35 2864 WMIC.exe Token: 36 2864 WMIC.exe Token: SeIncreaseQuotaPrivilege 2864 WMIC.exe Token: SeSecurityPrivilege 2864 WMIC.exe Token: SeTakeOwnershipPrivilege 2864 WMIC.exe Token: SeLoadDriverPrivilege 2864 WMIC.exe Token: SeSystemProfilePrivilege 2864 WMIC.exe Token: SeSystemtimePrivilege 2864 WMIC.exe Token: SeProfSingleProcessPrivilege 2864 WMIC.exe Token: SeIncBasePriorityPrivilege 2864 WMIC.exe Token: SeCreatePagefilePrivilege 2864 WMIC.exe Token: SeBackupPrivilege 2864 WMIC.exe Token: SeRestorePrivilege 2864 WMIC.exe Token: SeShutdownPrivilege 2864 WMIC.exe Token: SeDebugPrivilege 2864 WMIC.exe Token: SeSystemEnvironmentPrivilege 2864 WMIC.exe Token: SeRemoteShutdownPrivilege 2864 WMIC.exe Token: SeUndockPrivilege 2864 WMIC.exe Token: SeManageVolumePrivilege 2864 WMIC.exe Token: 33 2864 WMIC.exe Token: 34 2864 WMIC.exe Token: 35 2864 WMIC.exe Token: 36 2864 WMIC.exe Token: SeIncreaseQuotaPrivilege 4068 WMIC.exe Token: SeSecurityPrivilege 4068 WMIC.exe Token: SeTakeOwnershipPrivilege 4068 WMIC.exe Token: SeLoadDriverPrivilege 4068 WMIC.exe Token: SeSystemProfilePrivilege 4068 WMIC.exe Token: SeSystemtimePrivilege 4068 WMIC.exe Token: SeProfSingleProcessPrivilege 4068 WMIC.exe Token: SeIncBasePriorityPrivilege 4068 WMIC.exe Token: SeCreatePagefilePrivilege 4068 WMIC.exe Token: SeBackupPrivilege 4068 WMIC.exe Token: SeRestorePrivilege 4068 WMIC.exe Token: SeShutdownPrivilege 4068 WMIC.exe Token: SeDebugPrivilege 4068 WMIC.exe Token: SeSystemEnvironmentPrivilege 4068 WMIC.exe Token: SeRemoteShutdownPrivilege 4068 WMIC.exe Token: SeUndockPrivilege 4068 WMIC.exe Token: SeManageVolumePrivilege 4068 WMIC.exe Token: 33 4068 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Endermanch@000.exepid process 3108 Endermanch@000.exe 3108 Endermanch@000.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Endermanch@000.execmd.exedescription pid process target process PID 3108 wrote to memory of 2844 3108 Endermanch@000.exe cmd.exe PID 3108 wrote to memory of 2844 3108 Endermanch@000.exe cmd.exe PID 3108 wrote to memory of 2844 3108 Endermanch@000.exe cmd.exe PID 2844 wrote to memory of 3996 2844 cmd.exe taskkill.exe PID 2844 wrote to memory of 3996 2844 cmd.exe taskkill.exe PID 2844 wrote to memory of 3996 2844 cmd.exe taskkill.exe PID 2844 wrote to memory of 2992 2844 cmd.exe taskkill.exe PID 2844 wrote to memory of 2992 2844 cmd.exe taskkill.exe PID 2844 wrote to memory of 2992 2844 cmd.exe taskkill.exe PID 2844 wrote to memory of 2864 2844 cmd.exe WMIC.exe PID 2844 wrote to memory of 2864 2844 cmd.exe WMIC.exe PID 2844 wrote to memory of 2864 2844 cmd.exe WMIC.exe PID 2844 wrote to memory of 4068 2844 cmd.exe WMIC.exe PID 2844 wrote to memory of 4068 2844 cmd.exe WMIC.exe PID 2844 wrote to memory of 4068 2844 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@000.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@000.exe"1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\one.rtfMD5
6fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
C:\Users\Admin\AppData\Local\Temp\rniw.exeMD5
9232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
C:\Users\Admin\AppData\Local\Temp\text.txtMD5
9037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
C:\Users\Admin\AppData\Local\Temp\windl.batMD5
a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
memory/2696-23-0x0000000000000000-mapping.dmp
-
memory/2844-4-0x0000000000000000-mapping.dmp
-
memory/2864-10-0x0000000000000000-mapping.dmp
-
memory/2992-7-0x0000000000000000-mapping.dmp
-
memory/3108-16-0x000000000BC60000-0x000000000BC70000-memory.dmpFilesize
64KB
-
memory/3108-0-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/3108-11-0x000000000AD80000-0x000000000AD90000-memory.dmpFilesize
64KB
-
memory/3108-12-0x000000000AD80000-0x000000000AD90000-memory.dmpFilesize
64KB
-
memory/3108-14-0x000000000AD80000-0x000000000AD90000-memory.dmpFilesize
64KB
-
memory/3108-13-0x000000000AD80000-0x000000000AD90000-memory.dmpFilesize
64KB
-
memory/3108-15-0x000000000BC60000-0x000000000BC70000-memory.dmpFilesize
64KB
-
memory/3108-8-0x000000000AD90000-0x000000000AD91000-memory.dmpFilesize
4KB
-
memory/3108-19-0x000000000BC60000-0x000000000BC70000-memory.dmpFilesize
64KB
-
memory/3108-18-0x000000000AD80000-0x000000000AD90000-memory.dmpFilesize
64KB
-
memory/3108-17-0x000000000AD80000-0x000000000AD90000-memory.dmpFilesize
64KB
-
memory/3108-1-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/3108-3-0x0000000006000000-0x0000000006001000-memory.dmpFilesize
4KB
-
memory/3996-6-0x0000000000000000-mapping.dmp
-
memory/4068-20-0x0000000000000000-mapping.dmp