Overview
overview
10Static
static
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
7ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
9ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
5ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
309s -
max time network
324s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 11:43
Static task
static1
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
General
-
Target
-
Size
6.1MB
-
MD5
04155ed507699b4e37532e8371192c0b
-
SHA1
a14107131237dbb0df750e74281c462a2ea61016
-
SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
-
SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\host_new [email protected] File created C:\Windows\System32\drivers\etc\hosts [email protected] File opened for modification C:\Windows\System32\drivers\etc\hosts [email protected] File opened for modification C:\Windows\system32\drivers\etc\hosts [email protected] -
Sets file execution options in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\727e2\\ISb29.exe\" /s /d" [email protected] Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run [email protected] Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run [email protected] -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ [email protected] -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\F: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\N: [email protected] -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" [email protected] Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\BrowserEmulation [email protected] Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\IIL = "0" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\ltHI = "0" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\ltTST = "42571" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" [email protected] Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes [email protected] -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\ = "Implements DocHostUIHandler" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\Clsid [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" [email protected] Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "[email protected]" [email protected] Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft\Internet Explorer [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected] [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" [email protected] Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft [email protected] -
Suspicious behavior: EnumeratesProcesses 1314 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 2372 mofcomp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3268 [email protected] 3268 [email protected] -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3268 [email protected] 3268 [email protected] -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3268 [email protected] 3268 [email protected] -
Suspicious use of WriteProcessMemory 78 IoCs
description pid Process procid_target PID 3268 wrote to memory of 2372 3268 [email protected] 78 PID 3268 wrote to memory of 2372 3268 [email protected] 78 PID 3268 wrote to memory of 2372 3268 [email protected] 78 PID 3268 wrote to memory of 4024 3268 [email protected] 79 PID 3268 wrote to memory of 4024 3268 [email protected] 79 PID 3268 wrote to memory of 4024 3268 [email protected] 79 PID 3268 wrote to memory of 1392 3268 [email protected] 82 PID 3268 wrote to memory of 1392 3268 [email protected] 82 PID 3268 wrote to memory of 1392 3268 [email protected] 82 PID 3268 wrote to memory of 748 3268 [email protected] 84 PID 3268 wrote to memory of 748 3268 [email protected] 84 PID 3268 wrote to memory of 748 3268 [email protected] 84 PID 3268 wrote to memory of 2824 3268 [email protected] 88 PID 3268 wrote to memory of 2824 3268 [email protected] 88 PID 3268 wrote to memory of 2824 3268 [email protected] 88 PID 3268 wrote to memory of 3860 3268 [email protected] 90 PID 3268 wrote to memory of 3860 3268 [email protected] 90 PID 3268 wrote to memory of 3860 3268 [email protected] 90 PID 3268 wrote to memory of 2264 3268 [email protected] 92 PID 3268 wrote to memory of 2264 3268 [email protected] 92 PID 3268 wrote to memory of 2264 3268 [email protected] 92 PID 3268 wrote to memory of 2596 3268 [email protected] 94 PID 3268 wrote to memory of 2596 3268 [email protected] 94 PID 3268 wrote to memory of 2596 3268 [email protected] 94 PID 3268 wrote to memory of 1148 3268 [email protected] 96 PID 3268 wrote to memory of 1148 3268 [email protected] 96 PID 3268 wrote to memory of 1148 3268 [email protected] 96 PID 3268 wrote to memory of 1276 3268 [email protected] 98 PID 3268 wrote to memory of 1276 3268 [email protected] 98 PID 3268 wrote to memory of 1276 3268 [email protected] 98 PID 3268 wrote to memory of 3956 3268 [email protected] 100 PID 3268 wrote to memory of 3956 3268 [email protected] 100 PID 3268 wrote to memory of 3956 3268 [email protected] 100 PID 3268 wrote to memory of 2668 3268 [email protected] 102 PID 3268 wrote to memory of 2668 3268 [email protected] 102 PID 3268 wrote to memory of 2668 3268 [email protected] 102 PID 3268 wrote to memory of 2560 3268 [email protected] 104 PID 3268 wrote to memory of 2560 3268 [email protected] 104 PID 3268 wrote to memory of 2560 3268 [email protected] 104 PID 3268 wrote to memory of 3132 3268 [email protected] 106 PID 3268 wrote to memory of 3132 3268 [email protected] 106 PID 3268 wrote to memory of 3132 3268 [email protected] 106 PID 3268 wrote to memory of 3556 3268 [email protected] 108 PID 3268 wrote to memory of 3556 3268 [email protected] 108 PID 3268 wrote to memory of 3556 3268 [email protected] 108 PID 3268 wrote to memory of 2184 3268 [email protected] 110 PID 3268 wrote to memory of 2184 3268 [email protected] 110 PID 3268 wrote to memory of 2184 3268 [email protected] 110 PID 3268 wrote to memory of 1952 3268 [email protected] 112 PID 3268 wrote to memory of 1952 3268 [email protected] 112 PID 3268 wrote to memory of 1952 3268 [email protected] 112 PID 3268 wrote to memory of 2120 3268 [email protected] 114 PID 3268 wrote to memory of 2120 3268 [email protected] 114 PID 3268 wrote to memory of 2120 3268 [email protected] 114 PID 3268 wrote to memory of 3864 3268 [email protected] 116 PID 3268 wrote to memory of 3864 3268 [email protected] 116 PID 3268 wrote to memory of 3864 3268 [email protected] 116 PID 3268 wrote to memory of 1508 3268 [email protected] 118 PID 3268 wrote to memory of 1508 3268 [email protected] 118 PID 3268 wrote to memory of 1508 3268 [email protected] 118 PID 3268 wrote to memory of 4012 3268 [email protected] 120 PID 3268 wrote to memory of 4012 3268 [email protected] 120 PID 3268 wrote to memory of 4012 3268 [email protected] 120 PID 3268 wrote to memory of 3276 3268 [email protected] 122 PID 3268 wrote to memory of 3276 3268 [email protected] 122 PID 3268 wrote to memory of 3276 3268 [email protected] 122 PID 3268 wrote to memory of 2640 3268 [email protected] 124 PID 3268 wrote to memory of 2640 3268 [email protected] 124 PID 3268 wrote to memory of 2640 3268 [email protected] 124 PID 3268 wrote to memory of 2208 3268 [email protected] 126 PID 3268 wrote to memory of 2208 3268 [email protected] 126 PID 3268 wrote to memory of 2208 3268 [email protected] 126 PID 3268 wrote to memory of 2880 3268 [email protected] 128 PID 3268 wrote to memory of 2880 3268 [email protected] 128 PID 3268 wrote to memory of 2880 3268 [email protected] 128 PID 3268 wrote to memory of 2284 3268 [email protected] 130 PID 3268 wrote to memory of 2284 3268 [email protected] 130 PID 3268 wrote to memory of 2284 3268 [email protected] 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\AppData\Local\Temp\623.mof"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\[email protected]" "Internet Security Guard" ENABLE2⤵PID:4024
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.com 8.8.8.82⤵PID:1392
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.net 8.8.8.82⤵PID:748
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.com 208.67.222.2222⤵PID:2824
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.net 208.67.222.2222⤵PID:3860
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.com 8.8.4.42⤵PID:2264
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.net 8.8.4.42⤵PID:2596
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.com 208.67.220.2202⤵PID:1148
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.net 208.67.220.2202⤵PID:1276
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.com 8.8.8.82⤵PID:3956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.net 8.8.8.82⤵PID:2668
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.com 208.67.222.2222⤵PID:2560
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.net 208.67.222.2222⤵PID:3132
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.com 8.8.4.42⤵PID:3556
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.net 8.8.4.42⤵PID:2184
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.com 208.67.220.2202⤵PID:1952
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.net 208.67.220.2202⤵PID:2120
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.com 8.8.8.82⤵PID:3864
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.net 8.8.8.82⤵PID:1508
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.com 208.67.222.2222⤵PID:4012
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.net 208.67.222.2222⤵PID:3276
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.com 8.8.4.42⤵PID:2640
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.net 8.8.4.42⤵PID:2208
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.com 208.67.220.2202⤵PID:2880
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.net 208.67.220.2202⤵PID:2284
-