Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
24-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10Analysis
-
max time kernel
14s -
max time network
31s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 06:42
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@000.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Endermanch@7ev3n.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Endermanch@AnViPC2009.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Endermanch@Antivirus.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Endermanch@AntivirusPlatinum.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Endermanch@AntivirusPro2017.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Endermanch@BadRabbit.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Endermanch@Birele.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Endermanch@Cerber5.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Endermanch@CleanThis.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Endermanch@ColorBug.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Endermanch@DeriaLock.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Endermanch@Deskbottom.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Endermanch@DesktopPuzzle.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Endermanch@HMBlocker.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Endermanch@HappyAntivirus.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Endermanch@Illerka.C.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Endermanch@Koteyka2.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
Endermanch@LPS2019.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Endermanch@Movie.mpeg.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Endermanch@NavaShield.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
Endermanch@PCDefender.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Endermanch@PCDefenderv2.msi
Resource
win10v20201028
Behavioral task
behavioral28
Sample
Endermanch@PolyRansom.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Endermanch@PowerPoint.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
Endermanch@ProgramOverflow.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
Endermanch@RegistrySmart.exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Endermanch@SE2011.exe
Resource
win10v20201028
Errors
General
-
Target
Endermanch@HMBlocker.exe
-
Size
48KB
-
MD5
21943d72b0f4c2b42f242ac2d3de784c
-
SHA1
c887b9d92c026a69217ca550568909609eec1c39
-
SHA256
2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180
-
SHA512
04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\2503326475 = "C:\\Users\\Admin\\2503326475\\2503326475.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2503326475_del = "cmd /c del \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@HMBlocker.exe\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Windows directory 3 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
wlrmdr.exerundll32.exepid process 2380 wlrmdr.exe 2380 wlrmdr.exe 2380 wlrmdr.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
shutdown.exerundll32.exedescription pid process Token: SeShutdownPrivilege 1920 shutdown.exe Token: SeRemoteShutdownPrivilege 1920 shutdown.exe Token: SeShutdownPrivilege 4040 rundll32.exe Token: SeDebugPrivilege 4040 rundll32.exe Token: SeTcbPrivilege 4040 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wlrmdr.exeLogonUI.exepid process 2380 wlrmdr.exe 2140 LogonUI.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Endermanch@HMBlocker.execmd.execmd.exerundll32.exerundll32.execmd.exedescription pid process target process PID 3884 wrote to memory of 1920 3884 Endermanch@HMBlocker.exe shutdown.exe PID 3884 wrote to memory of 1920 3884 Endermanch@HMBlocker.exe shutdown.exe PID 3884 wrote to memory of 1920 3884 Endermanch@HMBlocker.exe shutdown.exe PID 3884 wrote to memory of 2060 3884 Endermanch@HMBlocker.exe cmd.exe PID 3884 wrote to memory of 2060 3884 Endermanch@HMBlocker.exe cmd.exe PID 3884 wrote to memory of 2060 3884 Endermanch@HMBlocker.exe cmd.exe PID 3884 wrote to memory of 2440 3884 Endermanch@HMBlocker.exe cmd.exe PID 3884 wrote to memory of 2440 3884 Endermanch@HMBlocker.exe cmd.exe PID 3884 wrote to memory of 2440 3884 Endermanch@HMBlocker.exe cmd.exe PID 2060 wrote to memory of 2584 2060 cmd.exe reg.exe PID 2060 wrote to memory of 2584 2060 cmd.exe reg.exe PID 2060 wrote to memory of 2584 2060 cmd.exe reg.exe PID 2440 wrote to memory of 3164 2440 cmd.exe reg.exe PID 2440 wrote to memory of 3164 2440 cmd.exe reg.exe PID 2440 wrote to memory of 3164 2440 cmd.exe reg.exe PID 3948 wrote to memory of 4040 3948 rundll32.exe rundll32.exe PID 3948 wrote to memory of 4040 3948 rundll32.exe rundll32.exe PID 3948 wrote to memory of 4040 3948 rundll32.exe rundll32.exe PID 4040 wrote to memory of 3664 4040 rundll32.exe cmd.exe PID 4040 wrote to memory of 3664 4040 rundll32.exe cmd.exe PID 4040 wrote to memory of 3664 4040 rundll32.exe cmd.exe PID 3664 wrote to memory of 3508 3664 cmd.exe schtasks.exe PID 3664 wrote to memory of 3508 3664 cmd.exe schtasks.exe PID 3664 wrote to memory of 3508 3664 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HMBlocker.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@HMBlocker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 6 /f2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Endermanch@HMBlocker.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Endermanch@HMBlocker.exe\"" /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 31⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad1055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe "C:\Windows\infpub.dat",#2 151⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1920-3-0x0000000000000000-mapping.dmp
-
memory/2060-4-0x0000000000000000-mapping.dmp
-
memory/2440-5-0x0000000000000000-mapping.dmp
-
memory/2584-6-0x0000000000000000-mapping.dmp
-
memory/3164-7-0x0000000000000000-mapping.dmp
-
memory/3508-11-0x0000000000000000-mapping.dmp
-
memory/3664-10-0x0000000000000000-mapping.dmp
-
memory/3884-0-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3884-1-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3884-2-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4040-8-0x0000000000000000-mapping.dmp
-
memory/4040-9-0x0000000002820000-0x0000000002888000-memory.dmpFilesize
416KB