Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
24-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10Analysis
-
max time kernel
1795s -
max time network
1350s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 06:42
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@000.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Endermanch@7ev3n.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Endermanch@AnViPC2009.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Endermanch@Antivirus.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Endermanch@AntivirusPlatinum.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Endermanch@AntivirusPro2017.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Endermanch@BadRabbit.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Endermanch@Birele.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Endermanch@Cerber5.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Endermanch@CleanThis.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Endermanch@ColorBug.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Endermanch@DeriaLock.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Endermanch@Deskbottom.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Endermanch@DesktopPuzzle.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Endermanch@HMBlocker.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Endermanch@HappyAntivirus.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Endermanch@Illerka.C.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Endermanch@Koteyka2.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
Endermanch@LPS2019.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Endermanch@Movie.mpeg.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Endermanch@NavaShield.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
Endermanch@PCDefender.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Endermanch@PCDefenderv2.msi
Resource
win10v20201028
Behavioral task
behavioral28
Sample
Endermanch@PolyRansom.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Endermanch@PowerPoint.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
Endermanch@ProgramOverflow.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
Endermanch@RegistrySmart.exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Endermanch@SE2011.exe
Resource
win10v20201028
General
-
Target
Endermanch@AntivirusPro2017.exe
-
Size
816KB
-
MD5
7dfbfba1e4e64a946cb096bfc937fbad
-
SHA1
9180d2ce387314cd4a794d148ea6b14084c61e1b
-
SHA256
312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94
-
SHA512
f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Endermanch@AntivirusPro2017.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run Endermanch@AntivirusPro2017.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@AntivirusPro2017.exe" Endermanch@AntivirusPro2017.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Endermanch@AntivirusPro2017.exedescription ioc process File opened (read-only) \??\G: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\N: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\U: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\W: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\E: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\F: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\Q: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\S: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\V: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\M: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\O: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\L: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\T: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\X: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\Y: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\J: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\K: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\P: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\R: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\Z: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\H: Endermanch@AntivirusPro2017.exe File opened (read-only) \??\I: Endermanch@AntivirusPro2017.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Endermanch@AntivirusPro2017.exedescription ioc process File opened for modification \??\PhysicalDrive0 Endermanch@AntivirusPro2017.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1800 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1800 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
Endermanch@AntivirusPro2017.exepid process 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe -
Suspicious use of SendNotifyMessage 56 IoCs
Processes:
Endermanch@AntivirusPro2017.exepid process 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Endermanch@AntivirusPro2017.exepid process 796 Endermanch@AntivirusPro2017.exe 796 Endermanch@AntivirusPro2017.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPro2017.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3e41⤵
- Suspicious use of AdjustPrivilegeToken