Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
1810s -
max time network
1795s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 06:42
Static task
static1
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
General
-
Target
-
Size
2.0MB
-
MD5
c7e9746b1b039b8bd1106bca3038c38f
-
SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191
-
SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
-
SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" [email protected] -
Drops file in Program Files directory 2 IoCs
Processes:
description ioc Process File created C:\Program Files (x86)\AnVi\virus.mp3 [email protected] File created C:\Program Files (x86)\AnVi\splash.mp3 [email protected] -
Processes:
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" [email protected] -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20304 IoCs
Processes:
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mofcomp.exedescription pid Process Token: SeSecurityPrivilege 4092 mofcomp.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid Process 1404 [email protected] 1404 [email protected] 1404 [email protected] 1404 [email protected] -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid Process 1404 [email protected] 1404 [email protected] 1404 [email protected] 1404 [email protected] -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
pid Process 1404 [email protected] 1404 [email protected] 1404 [email protected] 1404 [email protected] 1404 [email protected] 1404 [email protected] 1404 [email protected] 1404 [email protected] 1404 [email protected] 1404 [email protected] -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
description pid Process procid_target PID 1404 wrote to memory of 808 1404 [email protected] 77 PID 1404 wrote to memory of 808 1404 [email protected] 77 PID 1404 wrote to memory of 808 1404 [email protected] 77 PID 1404 wrote to memory of 3560 1404 [email protected] 78 PID 1404 wrote to memory of 3560 1404 [email protected] 78 PID 1404 wrote to memory of 3560 1404 [email protected] 78 PID 1404 wrote to memory of 852 1404 [email protected] 80 PID 1404 wrote to memory of 852 1404 [email protected] 80 PID 1404 wrote to memory of 852 1404 [email protected] 80 PID 1404 wrote to memory of 1316 1404 [email protected] 82 PID 1404 wrote to memory of 1316 1404 [email protected] 82 PID 1404 wrote to memory of 1316 1404 [email protected] 82 PID 1404 wrote to memory of 4092 1404 [email protected] 85 PID 1404 wrote to memory of 4092 1404 [email protected] 85 PID 1404 wrote to memory of 4092 1404 [email protected] 85 PID 1316 wrote to memory of 3340 1316 net.exe 87 PID 1316 wrote to memory of 3340 1316 net.exe 87 PID 1316 wrote to memory of 3340 1316 net.exe 87 PID 808 wrote to memory of 3844 808 net.exe 88 PID 808 wrote to memory of 3844 808 net.exe 88 PID 808 wrote to memory of 3844 808 net.exe 88 PID 3560 wrote to memory of 3916 3560 net.exe 89 PID 3560 wrote to memory of 3916 3560 net.exe 89 PID 3560 wrote to memory of 3916 3560 net.exe 89 PID 852 wrote to memory of 3732 852 net.exe 90 PID 852 wrote to memory of 3732 852 net.exe 90 PID 852 wrote to memory of 3732 852 net.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\net.exenet stop wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc3⤵PID:3844
-
-
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:3916
-
-
-
C:\Windows\SysWOW64\net.exenet start winmgmt2⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start winmgmt3⤵PID:3732
-
-
-
C:\Windows\SysWOW64\net.exenet start wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wscsvc3⤵PID:3340
-
-
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7fad92afda308dca8acfc6ff45c80c24
SHA1a7fa35e7f90f772fc943c2e940737a48b654c295
SHA25676e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f
SHA51249eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea