Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
03/07/2024, 22:59 UTC
240703-2yn7wszhlp 1003/07/2024, 16:13 UTC
240703-tn93lsyglf 1003/07/2024, 16:11 UTC
240703-tm84xsyfma 1010/05/2024, 16:25 UTC
240510-tw1h5shh47 1024/08/2023, 11:16 UTC
230824-nda8msdf8z 10Analysis
-
max time kernel
1795s -
max time network
1350s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22/11/2020, 06:42 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@000.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral2
Sample
Endermanch@7ev3n.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral3
Sample
Endermanch@AnViPC2009.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral4
Sample
Endermanch@Antivirus.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral5
Sample
Endermanch@AntivirusPlatinum.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral6
Sample
Endermanch@AntivirusPro2017.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral7
Sample
Endermanch@BadRabbit.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral8
Sample
Endermanch@Birele.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral9
Sample
Endermanch@Cerber5.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral10
Sample
Endermanch@CleanThis.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral11
Sample
Endermanch@ColorBug.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral12
Sample
Endermanch@DeriaLock.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral13
Sample
Endermanch@Deskbottom.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral14
Sample
Endermanch@DesktopPuzzle.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral15
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral16
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral17
Sample
Endermanch@HMBlocker.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral18
Sample
Endermanch@HappyAntivirus.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral19
Sample
Endermanch@Illerka.C.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral20
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral21
Sample
Endermanch@Koteyka2.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral22
Sample
Endermanch@LPS2019.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral23
Sample
Endermanch@Movie.mpeg.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral25
Sample
Endermanch@NavaShield.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral26
Sample
Endermanch@PCDefender.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral27
Sample
Endermanch@PCDefenderv2.msi
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral28
Sample
Endermanch@PolyRansom.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral29
Sample
Endermanch@PowerPoint.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral30
Sample
Endermanch@ProgramOverflow.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral31
Sample
Endermanch@RegistrySmart.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral32
Sample
Endermanch@SE2011.exe
Resource
win10v20201028
windows10_x64
General
-
Target
Endermanch@AntivirusPro2017.exe
-
Size
816KB
-
MD5
7dfbfba1e4e64a946cb096bfc937fbad
-
SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b
-
SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
-
SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run Endermanch@AntivirusPro2017.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@AntivirusPro2017.exe" Endermanch@AntivirusPro2017.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\N: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\U: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\W: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\E: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\F: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\Q: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\S: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\V: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\M: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\O: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\L: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\T: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\X: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\Y: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\J: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\K: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\P: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\R: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\Z: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\H: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\I: Endermanch@AntivirusPro2017.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Endermanch@AntivirusPro2017.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1800 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1800 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 56 IoCs
pid Process 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:796
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3e41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800
Network
-
Remote address:8.8.8.8:53Requesttwinkcam.netIN AResponsetwinkcam.netIN A169.62.154.118
-
Remote address:169.62.154.118:80RequestGET /images/v.php?id=1 HTTP/1.1
User-Agent: Mozilla
Host: twinkcam.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Sun, 22 Nov 2020 06:46:13 GMT
Server: Apache
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
653 B 303 B 12 4
HTTP Request
GET http://twinkcam.net/images/v.php?id=1HTTP Response
200