Overview
overview
10Static
static
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
7ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
9ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
5ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
38s -
max time network
65s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 11:43
Static task
static1
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
-
Size
6.7MB
-
MD5
f2b7074e1543720a9a98fda660e02688
-
SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca
-
SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
-
SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
Score
8/10
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\B: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\F: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\A: [email protected] -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper [email protected] -
Kills process with taskkill 2 IoCs
pid Process 960 taskkill.exe 2904 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" [email protected] -
Suspicious use of AdjustPrivilegeToken 96 IoCs
description pid Process Token: SeDebugPrivilege 960 taskkill.exe Token: SeDebugPrivilege 2904 taskkill.exe Token: SeShutdownPrivilege 1200 [email protected] Token: SeCreatePagefilePrivilege 1200 [email protected] Token: SeIncreaseQuotaPrivilege 3724 WMIC.exe Token: SeSecurityPrivilege 3724 WMIC.exe Token: SeTakeOwnershipPrivilege 3724 WMIC.exe Token: SeLoadDriverPrivilege 3724 WMIC.exe Token: SeSystemProfilePrivilege 3724 WMIC.exe Token: SeSystemtimePrivilege 3724 WMIC.exe Token: SeProfSingleProcessPrivilege 3724 WMIC.exe Token: SeIncBasePriorityPrivilege 3724 WMIC.exe Token: SeCreatePagefilePrivilege 3724 WMIC.exe Token: SeBackupPrivilege 3724 WMIC.exe Token: SeRestorePrivilege 3724 WMIC.exe Token: SeShutdownPrivilege 3724 WMIC.exe Token: SeDebugPrivilege 3724 WMIC.exe Token: SeSystemEnvironmentPrivilege 3724 WMIC.exe Token: SeRemoteShutdownPrivilege 3724 WMIC.exe Token: SeUndockPrivilege 3724 WMIC.exe Token: SeManageVolumePrivilege 3724 WMIC.exe Token: 33 3724 WMIC.exe Token: 34 3724 WMIC.exe Token: 35 3724 WMIC.exe Token: 36 3724 WMIC.exe Token: SeIncreaseQuotaPrivilege 3724 WMIC.exe Token: SeSecurityPrivilege 3724 WMIC.exe Token: SeTakeOwnershipPrivilege 3724 WMIC.exe Token: SeLoadDriverPrivilege 3724 WMIC.exe Token: SeSystemProfilePrivilege 3724 WMIC.exe Token: SeSystemtimePrivilege 3724 WMIC.exe Token: SeProfSingleProcessPrivilege 3724 WMIC.exe Token: SeIncBasePriorityPrivilege 3724 WMIC.exe Token: SeCreatePagefilePrivilege 3724 WMIC.exe Token: SeBackupPrivilege 3724 WMIC.exe Token: SeRestorePrivilege 3724 WMIC.exe Token: SeShutdownPrivilege 3724 WMIC.exe Token: SeDebugPrivilege 3724 WMIC.exe Token: SeSystemEnvironmentPrivilege 3724 WMIC.exe Token: SeRemoteShutdownPrivilege 3724 WMIC.exe Token: SeUndockPrivilege 3724 WMIC.exe Token: SeManageVolumePrivilege 3724 WMIC.exe Token: 33 3724 WMIC.exe Token: 34 3724 WMIC.exe Token: 35 3724 WMIC.exe Token: 36 3724 WMIC.exe Token: SeIncreaseQuotaPrivilege 1444 WMIC.exe Token: SeSecurityPrivilege 1444 WMIC.exe Token: SeTakeOwnershipPrivilege 1444 WMIC.exe Token: SeLoadDriverPrivilege 1444 WMIC.exe Token: SeSystemProfilePrivilege 1444 WMIC.exe Token: SeSystemtimePrivilege 1444 WMIC.exe Token: SeProfSingleProcessPrivilege 1444 WMIC.exe Token: SeIncBasePriorityPrivilege 1444 WMIC.exe Token: SeCreatePagefilePrivilege 1444 WMIC.exe Token: SeBackupPrivilege 1444 WMIC.exe Token: SeRestorePrivilege 1444 WMIC.exe Token: SeShutdownPrivilege 1444 WMIC.exe Token: SeDebugPrivilege 1444 WMIC.exe Token: SeSystemEnvironmentPrivilege 1444 WMIC.exe Token: SeRemoteShutdownPrivilege 1444 WMIC.exe Token: SeUndockPrivilege 1444 WMIC.exe Token: SeManageVolumePrivilege 1444 WMIC.exe Token: 33 1444 WMIC.exe Token: 34 1444 WMIC.exe Token: 35 1444 WMIC.exe Token: 36 1444 WMIC.exe Token: SeIncreaseQuotaPrivilege 1444 WMIC.exe Token: SeSecurityPrivilege 1444 WMIC.exe Token: SeTakeOwnershipPrivilege 1444 WMIC.exe Token: SeLoadDriverPrivilege 1444 WMIC.exe Token: SeSystemProfilePrivilege 1444 WMIC.exe Token: SeSystemtimePrivilege 1444 WMIC.exe Token: SeProfSingleProcessPrivilege 1444 WMIC.exe Token: SeIncBasePriorityPrivilege 1444 WMIC.exe Token: SeCreatePagefilePrivilege 1444 WMIC.exe Token: SeBackupPrivilege 1444 WMIC.exe Token: SeRestorePrivilege 1444 WMIC.exe Token: SeShutdownPrivilege 1444 WMIC.exe Token: SeDebugPrivilege 1444 WMIC.exe Token: SeSystemEnvironmentPrivilege 1444 WMIC.exe Token: SeRemoteShutdownPrivilege 1444 WMIC.exe Token: SeUndockPrivilege 1444 WMIC.exe Token: SeManageVolumePrivilege 1444 WMIC.exe Token: 33 1444 WMIC.exe Token: 34 1444 WMIC.exe Token: 35 1444 WMIC.exe Token: 36 1444 WMIC.exe Token: SeShutdownPrivilege 1200 [email protected] Token: SeCreatePagefilePrivilege 1200 [email protected] Token: SeShutdownPrivilege 1200 [email protected] Token: SeCreatePagefilePrivilege 1200 [email protected] Token: SeShutdownPrivilege 1200 [email protected] Token: SeCreatePagefilePrivilege 1200 [email protected] Token: SeShutdownPrivilege 1200 [email protected] Token: SeCreatePagefilePrivilege 1200 [email protected] -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1200 [email protected] 1200 [email protected] -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1200 wrote to memory of 1084 1200 [email protected] 76 PID 1200 wrote to memory of 1084 1200 [email protected] 76 PID 1200 wrote to memory of 1084 1200 [email protected] 76 PID 1084 wrote to memory of 960 1084 cmd.exe 78 PID 1084 wrote to memory of 960 1084 cmd.exe 78 PID 1084 wrote to memory of 960 1084 cmd.exe 78 PID 1084 wrote to memory of 2904 1084 cmd.exe 79 PID 1084 wrote to memory of 2904 1084 cmd.exe 79 PID 1084 wrote to memory of 2904 1084 cmd.exe 79 PID 1084 wrote to memory of 3724 1084 cmd.exe 80 PID 1084 wrote to memory of 3724 1084 cmd.exe 80 PID 1084 wrote to memory of 3724 1084 cmd.exe 80 PID 1084 wrote to memory of 1444 1084 cmd.exe 82 PID 1084 wrote to memory of 1444 1084 cmd.exe 82 PID 1084 wrote to memory of 1444 1084 cmd.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵PID:3872
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad2055 /state1:0x41c64e6d1⤵PID:2888