f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

Endermanch@000.exe
Size

6.7MB
MD5

f2b7074e1543720a9a98fda660e02688
SHA1

1029492c1a12789d8af78d54adcb921e24b9e5ca
SHA256

4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA512

73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Endermanch@000.exe

description	ioc	process
File opened (read-only)	\??\S:	Endermanch@000.exe
File opened (read-only)	\??\X:	Endermanch@000.exe
File opened (read-only)	\??\I:	Endermanch@000.exe
File opened (read-only)	\??\G:	Endermanch@000.exe
File opened (read-only)	\??\J:	Endermanch@000.exe
File opened (read-only)	\??\N:	Endermanch@000.exe
File opened (read-only)	\??\T:	Endermanch@000.exe
File opened (read-only)	\??\B:	Endermanch@000.exe
File opened (read-only)	\??\M:	Endermanch@000.exe
File opened (read-only)	\??\O:	Endermanch@000.exe
File opened (read-only)	\??\P:	Endermanch@000.exe
File opened (read-only)	\??\Q:	Endermanch@000.exe
File opened (read-only)	\??\R:	Endermanch@000.exe
File opened (read-only)	\??\U:	Endermanch@000.exe
File opened (read-only)	\??\Y:	Endermanch@000.exe
File opened (read-only)	\??\K:	Endermanch@000.exe
File opened (read-only)	\??\Z:	Endermanch@000.exe
File opened (read-only)	\??\E:	Endermanch@000.exe
File opened (read-only)	\??\F:	Endermanch@000.exe
File opened (read-only)	\??\H:	Endermanch@000.exe
File opened (read-only)	\??\L:	Endermanch@000.exe
File opened (read-only)	\??\V:	Endermanch@000.exe
File opened (read-only)	\??\W:	Endermanch@000.exe
File opened (read-only)	\??\A:	Endermanch@000.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Endermanch@000.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	Endermanch@000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

Endermanch@000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper Endermanch@000.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

960 taskkill.exe
2904 taskkill.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper	Endermanch@000.exe

pid	process
960	taskkill.exe
2904	taskkill.exe

Modifies registry class 1 IoCs

Processes:

Endermanch@000.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	Endermanch@000.exe

Suspicious use of AdjustPrivilegeToken 96 IoCs

Processes:

taskkill.exetaskkill.exeEndermanch@000.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeShutdownPrivilege	1200	Endermanch@000.exe
Token: SeCreatePagefilePrivilege	1200	Endermanch@000.exe
Token: SeIncreaseQuotaPrivilege	3724	WMIC.exe
Token: SeSecurityPrivilege	3724	WMIC.exe
Token: SeTakeOwnershipPrivilege	3724	WMIC.exe
Token: SeLoadDriverPrivilege	3724	WMIC.exe
Token: SeSystemProfilePrivilege	3724	WMIC.exe
Token: SeSystemtimePrivilege	3724	WMIC.exe
Token: SeProfSingleProcessPrivilege	3724	WMIC.exe
Token: SeIncBasePriorityPrivilege	3724	WMIC.exe
Token: SeCreatePagefilePrivilege	3724	WMIC.exe
Token: SeBackupPrivilege	3724	WMIC.exe
Token: SeRestorePrivilege	3724	WMIC.exe
Token: SeShutdownPrivilege	3724	WMIC.exe
Token: SeDebugPrivilege	3724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3724	WMIC.exe
Token: SeRemoteShutdownPrivilege	3724	WMIC.exe
Token: SeUndockPrivilege	3724	WMIC.exe
Token: SeManageVolumePrivilege	3724	WMIC.exe
Token: 33	3724	WMIC.exe
Token: 34	3724	WMIC.exe
Token: 35	3724	WMIC.exe
Token: 36	3724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3724	WMIC.exe
Token: SeSecurityPrivilege	3724	WMIC.exe
Token: SeTakeOwnershipPrivilege	3724	WMIC.exe
Token: SeLoadDriverPrivilege	3724	WMIC.exe
Token: SeSystemProfilePrivilege	3724	WMIC.exe
Token: SeSystemtimePrivilege	3724	WMIC.exe
Token: SeProfSingleProcessPrivilege	3724	WMIC.exe
Token: SeIncBasePriorityPrivilege	3724	WMIC.exe
Token: SeCreatePagefilePrivilege	3724	WMIC.exe
Token: SeBackupPrivilege	3724	WMIC.exe
Token: SeRestorePrivilege	3724	WMIC.exe
Token: SeShutdownPrivilege	3724	WMIC.exe
Token: SeDebugPrivilege	3724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3724	WMIC.exe
Token: SeRemoteShutdownPrivilege	3724	WMIC.exe
Token: SeUndockPrivilege	3724	WMIC.exe
Token: SeManageVolumePrivilege	3724	WMIC.exe
Token: 33	3724	WMIC.exe
Token: 34	3724	WMIC.exe
Token: 35	3724	WMIC.exe
Token: 36	3724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1444	WMIC.exe
Token: SeSecurityPrivilege	1444	WMIC.exe
Token: SeTakeOwnershipPrivilege	1444	WMIC.exe
Token: SeLoadDriverPrivilege	1444	WMIC.exe
Token: SeSystemProfilePrivilege	1444	WMIC.exe
Token: SeSystemtimePrivilege	1444	WMIC.exe
Token: SeProfSingleProcessPrivilege	1444	WMIC.exe
Token: SeIncBasePriorityPrivilege	1444	WMIC.exe
Token: SeCreatePagefilePrivilege	1444	WMIC.exe
Token: SeBackupPrivilege	1444	WMIC.exe
Token: SeRestorePrivilege	1444	WMIC.exe
Token: SeShutdownPrivilege	1444	WMIC.exe
Token: SeDebugPrivilege	1444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1444	WMIC.exe
Token: SeRemoteShutdownPrivilege	1444	WMIC.exe
Token: SeUndockPrivilege	1444	WMIC.exe
Token: SeManageVolumePrivilege	1444	WMIC.exe
Token: 33	1444	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Endermanch@000.exe

pid process

1200 Endermanch@000.exe
1200 Endermanch@000.exe

pid	process
1200	Endermanch@000.exe
1200	Endermanch@000.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Endermanch@000.execmd.exe

description	pid	process	target process
PID 1200 wrote to memory of 1084	1200	Endermanch@000.exe	cmd.exe
PID 1200 wrote to memory of 1084	1200	Endermanch@000.exe	cmd.exe
PID 1200 wrote to memory of 1084	1200	Endermanch@000.exe	cmd.exe
PID 1084 wrote to memory of 960	1084	cmd.exe	taskkill.exe
PID 1084 wrote to memory of 960	1084	cmd.exe	taskkill.exe
PID 1084 wrote to memory of 960	1084	cmd.exe	taskkill.exe
PID 1084 wrote to memory of 2904	1084	cmd.exe	taskkill.exe
PID 1084 wrote to memory of 2904	1084	cmd.exe	taskkill.exe
PID 1084 wrote to memory of 2904	1084	cmd.exe	taskkill.exe
PID 1084 wrote to memory of 3724	1084	cmd.exe	WMIC.exe
PID 1084 wrote to memory of 3724	1084	cmd.exe	WMIC.exe
PID 1084 wrote to memory of 3724	1084	cmd.exe	WMIC.exe
PID 1084 wrote to memory of 1444	1084	cmd.exe	WMIC.exe
PID 1084 wrote to memory of 1444	1084	cmd.exe	WMIC.exe
PID 1084 wrote to memory of 1444	1084	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\Endermanch@000.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@000.exe"
1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
3⤵
PID:3872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad2055 /state1:0x41c64e6d
1⤵
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\one.rtf
MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe
MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt
MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat
MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
memory/960-8-0x0000000000000000-mapping.dmp

Download
memory/1084-6-0x0000000000000000-mapping.dmp

Download
memory/1200-16-0x000000000B140000-0x000000000B150000-memory.dmp

Filesize
64KB

Download
memory/1200-15-0x000000000B140000-0x000000000B150000-memory.dmp

Filesize
64KB

Download
memory/1200-3-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/1200-9-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/1200-5-0x00000000064D0000-0x00000000064D1000-memory.dmp

Filesize
4KB

Download
memory/1200-14-0x000000000B0D0000-0x000000000B0D1000-memory.dmp

Filesize
4KB

Download
memory/1200-2-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/1200-17-0x000000000B140000-0x000000000B150000-memory.dmp

Filesize
64KB

Download
memory/1200-18-0x000000000B140000-0x000000000B150000-memory.dmp

Filesize
64KB

Download
memory/1200-10-0x0000000005F53000-0x0000000005F55000-memory.dmp

Filesize
8KB

Download
memory/1200-21-0x000000000B9D0000-0x000000000B9E0000-memory.dmp

Filesize
64KB

Download
memory/1200-20-0x000000000B9D0000-0x000000000B9E0000-memory.dmp

Filesize
64KB

Download
memory/1200-22-0x000000000B140000-0x000000000B150000-memory.dmp

Filesize
64KB

Download
memory/1200-23-0x000000000B140000-0x000000000B150000-memory.dmp

Filesize
64KB

Download
memory/1200-24-0x000000000B9D0000-0x000000000B9E0000-memory.dmp

Filesize
64KB

Download
memory/1444-19-0x0000000000000000-mapping.dmp

Download
memory/2904-11-0x0000000000000000-mapping.dmp

Download
memory/3724-13-0x0000000000000000-mapping.dmp

Download
memory/3872-27-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads