Overview
overview
10Static
static
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
7ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
9ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
5ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10Resubmissions
24-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10Analysis
-
max time kernel
38s -
max time network
65s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 11:43
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@000.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Endermanch@7ev3n.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Endermanch@AnViPC2009.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Endermanch@Antivirus.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Endermanch@AntivirusPlatinum.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Endermanch@AntivirusPro2017.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Endermanch@BadRabbit.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Endermanch@Birele.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Endermanch@Cerber5.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Endermanch@CleanThis.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Endermanch@ColorBug.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Endermanch@DeriaLock.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Endermanch@Deskbottom.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Endermanch@DesktopPuzzle.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Endermanch@HMBlocker.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Endermanch@HappyAntivirus.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Endermanch@Illerka.C.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Endermanch@Koteyka2.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
Endermanch@LPS2019.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Endermanch@Movie.mpeg.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Endermanch@NavaShield.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
Endermanch@PCDefender.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Endermanch@PCDefenderv2.msi
Resource
win10v20201028
Behavioral task
behavioral28
Sample
Endermanch@PolyRansom.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Endermanch@PowerPoint.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
Endermanch@ProgramOverflow.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
Endermanch@RegistrySmart.exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Endermanch@SE2011.exe
Resource
win10v20201028
Errors
General
-
Target
Endermanch@000.exe
-
Size
6.7MB
-
MD5
f2b7074e1543720a9a98fda660e02688
-
SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca
-
SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
-
SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Endermanch@000.exedescription ioc process File opened (read-only) \??\S: Endermanch@000.exe File opened (read-only) \??\X: Endermanch@000.exe File opened (read-only) \??\I: Endermanch@000.exe File opened (read-only) \??\G: Endermanch@000.exe File opened (read-only) \??\J: Endermanch@000.exe File opened (read-only) \??\N: Endermanch@000.exe File opened (read-only) \??\T: Endermanch@000.exe File opened (read-only) \??\B: Endermanch@000.exe File opened (read-only) \??\M: Endermanch@000.exe File opened (read-only) \??\O: Endermanch@000.exe File opened (read-only) \??\P: Endermanch@000.exe File opened (read-only) \??\Q: Endermanch@000.exe File opened (read-only) \??\R: Endermanch@000.exe File opened (read-only) \??\U: Endermanch@000.exe File opened (read-only) \??\Y: Endermanch@000.exe File opened (read-only) \??\K: Endermanch@000.exe File opened (read-only) \??\Z: Endermanch@000.exe File opened (read-only) \??\E: Endermanch@000.exe File opened (read-only) \??\F: Endermanch@000.exe File opened (read-only) \??\H: Endermanch@000.exe File opened (read-only) \??\L: Endermanch@000.exe File opened (read-only) \??\V: Endermanch@000.exe File opened (read-only) \??\W: Endermanch@000.exe File opened (read-only) \??\A: Endermanch@000.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
Endermanch@000.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Endermanch@000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Endermanch@000.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper Endermanch@000.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 960 taskkill.exe 2904 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
Endermanch@000.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" Endermanch@000.exe -
Suspicious use of AdjustPrivilegeToken 96 IoCs
Processes:
taskkill.exetaskkill.exeEndermanch@000.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 960 taskkill.exe Token: SeDebugPrivilege 2904 taskkill.exe Token: SeShutdownPrivilege 1200 Endermanch@000.exe Token: SeCreatePagefilePrivilege 1200 Endermanch@000.exe Token: SeIncreaseQuotaPrivilege 3724 WMIC.exe Token: SeSecurityPrivilege 3724 WMIC.exe Token: SeTakeOwnershipPrivilege 3724 WMIC.exe Token: SeLoadDriverPrivilege 3724 WMIC.exe Token: SeSystemProfilePrivilege 3724 WMIC.exe Token: SeSystemtimePrivilege 3724 WMIC.exe Token: SeProfSingleProcessPrivilege 3724 WMIC.exe Token: SeIncBasePriorityPrivilege 3724 WMIC.exe Token: SeCreatePagefilePrivilege 3724 WMIC.exe Token: SeBackupPrivilege 3724 WMIC.exe Token: SeRestorePrivilege 3724 WMIC.exe Token: SeShutdownPrivilege 3724 WMIC.exe Token: SeDebugPrivilege 3724 WMIC.exe Token: SeSystemEnvironmentPrivilege 3724 WMIC.exe Token: SeRemoteShutdownPrivilege 3724 WMIC.exe Token: SeUndockPrivilege 3724 WMIC.exe Token: SeManageVolumePrivilege 3724 WMIC.exe Token: 33 3724 WMIC.exe Token: 34 3724 WMIC.exe Token: 35 3724 WMIC.exe Token: 36 3724 WMIC.exe Token: SeIncreaseQuotaPrivilege 3724 WMIC.exe Token: SeSecurityPrivilege 3724 WMIC.exe Token: SeTakeOwnershipPrivilege 3724 WMIC.exe Token: SeLoadDriverPrivilege 3724 WMIC.exe Token: SeSystemProfilePrivilege 3724 WMIC.exe Token: SeSystemtimePrivilege 3724 WMIC.exe Token: SeProfSingleProcessPrivilege 3724 WMIC.exe Token: SeIncBasePriorityPrivilege 3724 WMIC.exe Token: SeCreatePagefilePrivilege 3724 WMIC.exe Token: SeBackupPrivilege 3724 WMIC.exe Token: SeRestorePrivilege 3724 WMIC.exe Token: SeShutdownPrivilege 3724 WMIC.exe Token: SeDebugPrivilege 3724 WMIC.exe Token: SeSystemEnvironmentPrivilege 3724 WMIC.exe Token: SeRemoteShutdownPrivilege 3724 WMIC.exe Token: SeUndockPrivilege 3724 WMIC.exe Token: SeManageVolumePrivilege 3724 WMIC.exe Token: 33 3724 WMIC.exe Token: 34 3724 WMIC.exe Token: 35 3724 WMIC.exe Token: 36 3724 WMIC.exe Token: SeIncreaseQuotaPrivilege 1444 WMIC.exe Token: SeSecurityPrivilege 1444 WMIC.exe Token: SeTakeOwnershipPrivilege 1444 WMIC.exe Token: SeLoadDriverPrivilege 1444 WMIC.exe Token: SeSystemProfilePrivilege 1444 WMIC.exe Token: SeSystemtimePrivilege 1444 WMIC.exe Token: SeProfSingleProcessPrivilege 1444 WMIC.exe Token: SeIncBasePriorityPrivilege 1444 WMIC.exe Token: SeCreatePagefilePrivilege 1444 WMIC.exe Token: SeBackupPrivilege 1444 WMIC.exe Token: SeRestorePrivilege 1444 WMIC.exe Token: SeShutdownPrivilege 1444 WMIC.exe Token: SeDebugPrivilege 1444 WMIC.exe Token: SeSystemEnvironmentPrivilege 1444 WMIC.exe Token: SeRemoteShutdownPrivilege 1444 WMIC.exe Token: SeUndockPrivilege 1444 WMIC.exe Token: SeManageVolumePrivilege 1444 WMIC.exe Token: 33 1444 WMIC.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Endermanch@000.exepid process 1200 Endermanch@000.exe 1200 Endermanch@000.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Endermanch@000.execmd.exedescription pid process target process PID 1200 wrote to memory of 1084 1200 Endermanch@000.exe cmd.exe PID 1200 wrote to memory of 1084 1200 Endermanch@000.exe cmd.exe PID 1200 wrote to memory of 1084 1200 Endermanch@000.exe cmd.exe PID 1084 wrote to memory of 960 1084 cmd.exe taskkill.exe PID 1084 wrote to memory of 960 1084 cmd.exe taskkill.exe PID 1084 wrote to memory of 960 1084 cmd.exe taskkill.exe PID 1084 wrote to memory of 2904 1084 cmd.exe taskkill.exe PID 1084 wrote to memory of 2904 1084 cmd.exe taskkill.exe PID 1084 wrote to memory of 2904 1084 cmd.exe taskkill.exe PID 1084 wrote to memory of 3724 1084 cmd.exe WMIC.exe PID 1084 wrote to memory of 3724 1084 cmd.exe WMIC.exe PID 1084 wrote to memory of 3724 1084 cmd.exe WMIC.exe PID 1084 wrote to memory of 1444 1084 cmd.exe WMIC.exe PID 1084 wrote to memory of 1444 1084 cmd.exe WMIC.exe PID 1084 wrote to memory of 1444 1084 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@000.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@000.exe"1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad2055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\one.rtfMD5
6fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
C:\Users\Admin\AppData\Local\Temp\rniw.exeMD5
9232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
C:\Users\Admin\AppData\Local\Temp\text.txtMD5
9037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
C:\Users\Admin\AppData\Local\Temp\windl.batMD5
a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
memory/960-8-0x0000000000000000-mapping.dmp
-
memory/1084-6-0x0000000000000000-mapping.dmp
-
memory/1200-16-0x000000000B140000-0x000000000B150000-memory.dmpFilesize
64KB
-
memory/1200-15-0x000000000B140000-0x000000000B150000-memory.dmpFilesize
64KB
-
memory/1200-3-0x0000000000FA0000-0x0000000000FA1000-memory.dmpFilesize
4KB
-
memory/1200-9-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB
-
memory/1200-5-0x00000000064D0000-0x00000000064D1000-memory.dmpFilesize
4KB
-
memory/1200-14-0x000000000B0D0000-0x000000000B0D1000-memory.dmpFilesize
4KB
-
memory/1200-2-0x0000000073A70000-0x000000007415E000-memory.dmpFilesize
6.9MB
-
memory/1200-17-0x000000000B140000-0x000000000B150000-memory.dmpFilesize
64KB
-
memory/1200-18-0x000000000B140000-0x000000000B150000-memory.dmpFilesize
64KB
-
memory/1200-10-0x0000000005F53000-0x0000000005F55000-memory.dmpFilesize
8KB
-
memory/1200-21-0x000000000B9D0000-0x000000000B9E0000-memory.dmpFilesize
64KB
-
memory/1200-20-0x000000000B9D0000-0x000000000B9E0000-memory.dmpFilesize
64KB
-
memory/1200-22-0x000000000B140000-0x000000000B150000-memory.dmpFilesize
64KB
-
memory/1200-23-0x000000000B140000-0x000000000B150000-memory.dmpFilesize
64KB
-
memory/1200-24-0x000000000B9D0000-0x000000000B9E0000-memory.dmpFilesize
64KB
-
memory/1444-19-0x0000000000000000-mapping.dmp
-
memory/2904-11-0x0000000000000000-mapping.dmp
-
memory/3724-13-0x0000000000000000-mapping.dmp
-
memory/3872-27-0x0000000000000000-mapping.dmp