Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
1795s -
max time network
1350s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 06:42
Static task
static1
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
windows10_x64
General
-
Target
-
Size
816KB
-
MD5
7dfbfba1e4e64a946cb096bfc937fbad
-
SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b
-
SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
-
SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" [email protected] -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
description ioc Process File opened (read-only) \??\G: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\F: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\I: [email protected] -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid Process Token: 33 1800 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1800 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
-
Suspicious use of SendNotifyMessage 56 IoCs
Processes:
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pid Process 796 [email protected] 796 [email protected]
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:796
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3e41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800