Overview
overview
10Static
static
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
7ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
9ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
5ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10Resubmissions
24-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10Analysis
-
max time kernel
304s -
max time network
325s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 11:43
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@000.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Endermanch@7ev3n.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Endermanch@AnViPC2009.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Endermanch@Antivirus.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Endermanch@AntivirusPlatinum.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Endermanch@AntivirusPro2017.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Endermanch@BadRabbit.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Endermanch@Birele.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Endermanch@Cerber5.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Endermanch@CleanThis.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Endermanch@ColorBug.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Endermanch@DeriaLock.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Endermanch@Deskbottom.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Endermanch@DesktopPuzzle.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Endermanch@HMBlocker.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Endermanch@HappyAntivirus.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Endermanch@Illerka.C.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Endermanch@Koteyka2.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
Endermanch@LPS2019.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Endermanch@Movie.mpeg.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Endermanch@NavaShield.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
Endermanch@PCDefender.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Endermanch@PCDefenderv2.msi
Resource
win10v20201028
Behavioral task
behavioral28
Sample
Endermanch@PolyRansom.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Endermanch@PowerPoint.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
Endermanch@ProgramOverflow.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
Endermanch@RegistrySmart.exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Endermanch@SE2011.exe
Resource
win10v20201028
General
-
Target
Endermanch@CleanThis.exe
-
Size
618KB
-
MD5
a50fc0da1d2b3c4aa8a6adaccf69a5de
-
SHA1
e001f4043ab4be644ea10e0d65303d6e57b31ffe
-
SHA256
cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90
-
SHA512
4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Endermanch@CleanThis.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\gog.exe" Endermanch@CleanThis.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Endermanch@CleanThis.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Endermanch@CleanThis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Endermanch@CleanThis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4744 IoCs
Processes:
Endermanch@CleanThis.exepid process 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Endermanch@CleanThis.exedescription pid process Token: SeShutdownPrivilege 4808 Endermanch@CleanThis.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Endermanch@CleanThis.exepid process 4808 Endermanch@CleanThis.exe 4808 Endermanch@CleanThis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@CleanThis.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@CleanThis.exe"1⤵
- Modifies WinLogon for persistence
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4808-2-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB