Resubmissions

24-08-2023 11:16

230824-nda8msdf8z 10

05-08-2023 22:52

230805-2tn2bsfa82 10

24-07-2023 06:25

230724-g6s6laag35 10

22-07-2023 15:57

230722-tee6wabg5w 10

20-07-2023 23:19

230720-3bb5gsbf5v 10

20-07-2023 23:06

230720-23f23sba63 10

03-02-2021 11:43

210203-6bgge2nfan 10

22-11-2020 06:42

201122-6x1at779dj 10

Analysis

  • max time kernel
    1810s
  • max time network
    1795s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    22-11-2020 06:42

General

  • Target

    Endermanch@Antivirus.exe

  • Size

    2.0MB

  • MD5

    c7e9746b1b039b8bd1106bca3038c38f

  • SHA1

    cb93ac887876bafe39c5f9aa64970d5e747fb191

  • SHA256

    b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

  • SHA512

    cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 20304 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe
    "C:\Users\Admin\AppData\Local\Temp\Endermanch@Antivirus.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop wscsvc
        3⤵
          PID:3844
      • C:\Windows\SysWOW64\net.exe
        net stop winmgmt /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3560
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop winmgmt /y
          3⤵
            PID:3916
        • C:\Windows\SysWOW64\net.exe
          net start winmgmt
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:852
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start winmgmt
            3⤵
              PID:3732
          • C:\Windows\SysWOW64\net.exe
            net start wscsvc
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1316
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start wscsvc
              3⤵
                PID:3340
            • C:\Windows\SysWOW64\Wbem\mofcomp.exe
              mofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4092

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Collection

          Data from Local System

          1
          T1005

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof
            MD5

            7fad92afda308dca8acfc6ff45c80c24

            SHA1

            a7fa35e7f90f772fc943c2e940737a48b654c295

            SHA256

            76e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f

            SHA512

            49eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea

          • memory/808-0-0x0000000000000000-mapping.dmp
          • memory/852-2-0x0000000000000000-mapping.dmp
          • memory/1316-3-0x0000000000000000-mapping.dmp
          • memory/3340-5-0x0000000000000000-mapping.dmp
          • memory/3560-1-0x0000000000000000-mapping.dmp
          • memory/3732-8-0x0000000000000000-mapping.dmp
          • memory/3844-6-0x0000000000000000-mapping.dmp
          • memory/3916-7-0x0000000000000000-mapping.dmp
          • memory/4092-4-0x0000000000000000-mapping.dmp