Overview
overview
10Static
static
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
7ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
9ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
5ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
303s -
max time network
319s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 11:43
Static task
static1
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
General
-
Target
-
Size
378KB
-
MD5
c718a1cbf0e13674714c66694be02421
-
SHA1
001d5370d3a7ee48db6caaecb1c213b5dfdf8e65
-
SHA256
cde188d6c4d6e64d6abfdea1e113314f9cdf9417bca36eb7201e6b766e5f5a7f
-
SHA512
ba0ddff47b618740dfcb63024435c36d895889dd3cf6b4559969283ba8100e8063f5c7767e56dfab67a2b5c96e4ae22e141e5b09e81be5cec9aa7ca7827b4b8a
Score
10/10
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
pid Process 4448 Q42D22E1I05Q8UX6H16.exe 4424 B62X15H0K78P4SF4J86.exe 380 Z23I56N6F03U7NH7W03.exe 1856 F88H21J0E36M6GC8F06.exe 4480 N52Z63J7Q37B5HP0T51.exe 4620 E87B35O4B36E4QH1A08.exe 604 W74Z60I3F34D0XE8Q80.exe 1772 B67E28M4P71X5TA0Y07.exe 2384 D85P52P5T52O4JK6K60.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Q42D22E1I05Q8UX6H16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Q42D22E1I05Q8UX6H16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" W74Z60I3F34D0XE8Q80.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B67E28M4P71X5TA0Y07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" B67E28M4P71X5TA0Y07.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N52Z63J7Q37B5HP0T51.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA W74Z60I3F34D0XE8Q80.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA D85P52P5T52O4JK6K60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" D85P52P5T52O4JK6K60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Z23I56N6F03U7NH7W03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Z23I56N6F03U7NH7W03.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N52Z63J7Q37B5HP0T51.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA E87B35O4B36E4QH1A08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" E87B35O4B36E4QH1A08.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 169 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4792 [email protected] Token: SeDebugPrivilege 4448 Q42D22E1I05Q8UX6H16.exe Token: SeDebugPrivilege 604 W74Z60I3F34D0XE8Q80.exe Token: SeDebugPrivilege 1772 B67E28M4P71X5TA0Y07.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4792 wrote to memory of 4448 4792 [email protected] 76 PID 4792 wrote to memory of 4448 4792 [email protected] 76 PID 4792 wrote to memory of 4448 4792 [email protected] 76 PID 4792 wrote to memory of 4424 4792 [email protected] 81 PID 4792 wrote to memory of 4424 4792 [email protected] 81 PID 4792 wrote to memory of 4424 4792 [email protected] 81 PID 4792 wrote to memory of 380 4792 [email protected] 77 PID 4792 wrote to memory of 380 4792 [email protected] 77 PID 4792 wrote to memory of 380 4792 [email protected] 77 PID 4792 wrote to memory of 1856 4792 [email protected] 78 PID 4792 wrote to memory of 1856 4792 [email protected] 78 PID 4792 wrote to memory of 1856 4792 [email protected] 78 PID 4792 wrote to memory of 4480 4792 [email protected] 80 PID 4792 wrote to memory of 4480 4792 [email protected] 80 PID 4792 wrote to memory of 4480 4792 [email protected] 80 PID 4792 wrote to memory of 4620 4792 [email protected] 79 PID 4792 wrote to memory of 4620 4792 [email protected] 79 PID 4792 wrote to memory of 4620 4792 [email protected] 79 PID 4792 wrote to memory of 604 4792 [email protected] 82 PID 4792 wrote to memory of 604 4792 [email protected] 82 PID 4792 wrote to memory of 604 4792 [email protected] 82 PID 604 wrote to memory of 1772 604 W74Z60I3F34D0XE8Q80.exe 83 PID 604 wrote to memory of 1772 604 W74Z60I3F34D0XE8Q80.exe 83 PID 604 wrote to memory of 1772 604 W74Z60I3F34D0XE8Q80.exe 83 PID 1772 wrote to memory of 2384 1772 B67E28M4P71X5TA0Y07.exe 85 PID 1772 wrote to memory of 2384 1772 B67E28M4P71X5TA0Y07.exe 85 PID 1772 wrote to memory of 2384 1772 B67E28M4P71X5TA0Y07.exe 85 -
System policy modification 1 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" N52Z63J7Q37B5HP0T51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" E87B35O4B36E4QH1A08.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" W74Z60I3F34D0XE8Q80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" B67E28M4P71X5TA0Y07.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" D85P52P5T52O4JK6K60.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Q42D22E1I05Q8UX6H16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Z23I56N6F03U7NH7W03.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\930645675\Q42D22E1I05Q8UX6H16.exe"C:\Users\Admin\AppData\Local\Temp\930645675\Q42D22E1I05Q8UX6H16.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4448
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\Z23I56N6F03U7NH7W03.exe"C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\Z23I56N6F03U7NH7W03.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\Low\F88H21J0E36M6GC8F06.exe"C:\Users\Admin\AppData\Local\Temp\Low\F88H21J0E36M6GC8F06.exe"2⤵
- Executes dropped EXE
PID:1856
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\E87B35O4B36E4QH1A08.exe"C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\E87B35O4B36E4QH1A08.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:4620
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\N52Z63J7Q37B5HP0T51.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\N52Z63J7Q37B5HP0T51.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:4480
-
-
C:\Users\Admin\AppData\Local\Temp\acrocef_low\B62X15H0K78P4SF4J86.exe"C:\Users\Admin\AppData\Local\Temp\acrocef_low\B62X15H0K78P4SF4J86.exe"2⤵
- Executes dropped EXE
PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\W74Z60I3F34D0XE8Q80.exe"C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\W74Z60I3F34D0XE8Q80.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:604 -
C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\B67E28M4P71X5TA0Y07.exe"C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\B67E28M4P71X5TA0Y07.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\전산 및 비전산자료 보존 요청서\D85P52P5T52O4JK6K60.exe"C:\Users\Admin\AppData\Local\Temp\___ _ _____ __ ___\전산 및 비전산자료 보존 요청서\전산 및 비전산자료 보존 요청서\D85P52P5T52O4JK6K60.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:2384
-
-
-