f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

Endermanch@InternetSecurityGuard.exe
Size

6.1MB
MD5

04155ed507699b4e37532e8371192c0b
SHA1

a14107131237dbb0df750e74281c462a2ea61016
SHA256

b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
SHA512

6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

Score

9^/10

bootkit discovery evasion persistence ransomware spyware

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Enumerates VirtualBox registry keys 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocks application from running via registry modification
Adds application to list of disallowed applications.
evasion

Drops file in Drivers directory 4 IoCs

Processes:

Endermanch@InternetSecurityGuard.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\host_new	Endermanch@InternetSecurityGuard.exe
File created	C:\Windows\System32\drivers\etc\hosts	Endermanch@InternetSecurityGuard.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Endermanch@InternetSecurityGuard.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Endermanch@InternetSecurityGuard.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Endermanch@InternetSecurityGuard.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\727e2\\ISb29.exe\" /s /d"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Endermanch@InternetSecurityGuard.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1063

Processes:

Endermanch@InternetSecurityGuard.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ Endermanch@InternetSecurityGuard.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\	Endermanch@InternetSecurityGuard.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Endermanch@InternetSecurityGuard.exe

description	ioc	process
File opened (read-only)	\??\O:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\Q:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\R:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\S:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\T:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\W:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\J:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\K:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\Y:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\P:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\V:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\E:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\I:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\H:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\M:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\Z:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\F:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\G:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\U:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\X:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\L:	Endermanch@InternetSecurityGuard.exe
File opened (read-only)	\??\N:	Endermanch@InternetSecurityGuard.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Endermanch@InternetSecurityGuard.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Endermanch@InternetSecurityGuard.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Endermanch@InternetSecurityGuard.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

Endermanch@InternetSecurityGuard.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}"	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%"	Endermanch@InternetSecurityGuard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\IIL = "0"	Endermanch@InternetSecurityGuard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\ltHI = "0"	Endermanch@InternetSecurityGuard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\ltTST = "42571"	Endermanch@InternetSecurityGuard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	Endermanch@InternetSecurityGuard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes	Endermanch@InternetSecurityGuard.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

Endermanch@InternetSecurityGuard.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}"	Endermanch@InternetSecurityGuard.exe

Modifies registry class 15 IoCs

Processes:

Endermanch@InternetSecurityGuard.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@InternetSecurityGuard.DocHostUIHandler\ = "Implements DocHostUIHandler"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@InternetSecurityGuard.DocHostUIHandler\Clsid	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@InternetSecurityGuard.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "Endermanch@InternetSecurityGuard.DocHostUIHandler"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft\Internet Explorer	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@InternetSecurityGuard.exe"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@InternetSecurityGuard.DocHostUIHandler	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	Endermanch@InternetSecurityGuard.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	Endermanch@InternetSecurityGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft	Endermanch@InternetSecurityGuard.exe

Suspicious behavior: EnumeratesProcesses 1314 IoCs

Processes:

Endermanch@InternetSecurityGuard.exe

pid	process
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe
3268	Endermanch@InternetSecurityGuard.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mofcomp.exe

description pid process

Token: SeSecurityPrivilege 2372 mofcomp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Endermanch@InternetSecurityGuard.exe

pid process

3268 Endermanch@InternetSecurityGuard.exe
3268 Endermanch@InternetSecurityGuard.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Endermanch@InternetSecurityGuard.exe

pid process

3268 Endermanch@InternetSecurityGuard.exe
3268 Endermanch@InternetSecurityGuard.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Endermanch@InternetSecurityGuard.exe

pid process

3268 Endermanch@InternetSecurityGuard.exe
3268 Endermanch@InternetSecurityGuard.exe

description	pid	process
Token: SeSecurityPrivilege	2372	mofcomp.exe

Suspicious use of WriteProcessMemory 78 IoCs

Processes:

Endermanch@InternetSecurityGuard.exe

description	pid	process	target process
PID 3268 wrote to memory of 2372	3268	Endermanch@InternetSecurityGuard.exe	mofcomp.exe
PID 3268 wrote to memory of 2372	3268	Endermanch@InternetSecurityGuard.exe	mofcomp.exe
PID 3268 wrote to memory of 2372	3268	Endermanch@InternetSecurityGuard.exe	mofcomp.exe
PID 3268 wrote to memory of 4024	3268	Endermanch@InternetSecurityGuard.exe	netsh.exe
PID 3268 wrote to memory of 4024	3268	Endermanch@InternetSecurityGuard.exe	netsh.exe
PID 3268 wrote to memory of 4024	3268	Endermanch@InternetSecurityGuard.exe	netsh.exe
PID 3268 wrote to memory of 1392	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1392	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1392	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 748	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 748	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 748	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2824	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2824	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2824	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3860	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3860	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3860	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2264	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2264	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2264	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2596	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2596	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2596	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1148	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1148	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1148	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1276	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1276	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1276	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3956	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3956	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3956	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2668	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2668	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2668	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2560	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2560	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2560	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3132	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3132	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3132	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3556	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3556	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3556	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2184	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2184	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2184	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1952	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1952	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1952	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2120	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2120	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 2120	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3864	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3864	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3864	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1508	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1508	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 1508	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 4012	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 4012	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 4012	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe
PID 3268 wrote to memory of 3276	3268	Endermanch@InternetSecurityGuard.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\Wbem\mofcomp.exe
mofcomp "C:\Users\Admin\AppData\Local\Temp\623.mof"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\netsh.exe
netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe" "Internet Security Guard" ENABLE
2⤵
PID:4024

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt giluxdfi930jpvz.com 8.8.8.8
2⤵
PID:1392

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt giluxdfi930jpvz.net 8.8.8.8
2⤵
PID:748

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt giluxdfi930jpvz.com 208.67.222.222
2⤵
PID:2824

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt giluxdfi930jpvz.net 208.67.222.222
2⤵
PID:3860

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt giluxdfi930jpvz.com 8.8.4.4
2⤵
PID:2264

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt giluxdfi930jpvz.net 8.8.4.4
2⤵
PID:2596

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt giluxdfi930jpvz.com 208.67.220.220
2⤵
PID:1148

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt giluxdfi930jpvz.net 208.67.220.220
2⤵
PID:1276

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt fgowwde765eehmo.com 8.8.8.8
2⤵
PID:3956

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt fgowwde765eehmo.net 8.8.8.8
2⤵
PID:2668

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt fgowwde765eehmo.com 208.67.222.222
2⤵
PID:2560

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt fgowwde765eehmo.net 208.67.222.222
2⤵
PID:3132

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt fgowwde765eehmo.com 8.8.4.4
2⤵
PID:3556

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt fgowwde765eehmo.net 8.8.4.4
2⤵
PID:2184

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt fgowwde765eehmo.com 208.67.220.220
2⤵
PID:1952

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt fgowwde765eehmo.net 208.67.220.220
2⤵
PID:2120

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt deeem465uaahims.com 8.8.8.8
2⤵
PID:3864

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt deeem465uaahims.net 8.8.8.8
2⤵
PID:1508

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt deeem465uaahims.com 208.67.222.222
2⤵
PID:4012

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt deeem465uaahims.net 208.67.222.222
2⤵
PID:3276

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt deeem465uaahims.com 8.8.4.4
2⤵
PID:2640

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt deeem465uaahims.net 8.8.4.4
2⤵
PID:2208

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt deeem465uaahims.com 208.67.220.220
2⤵
PID:2880

C:\Windows\SysWOW64\nslookup.exe
nslookup -q=txt deeem465uaahims.net 208.67.220.220
2⤵
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\623.mof
MD5
3754f8f8abad5bad797085d0717a9766

SHA1
48d92f36cb721b390e216aa03b27b41f25c563fc

SHA256
3c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927

SHA512
c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985

Download Submit
memory/748-7-0x0000000000000000-mapping.dmp

Download
memory/1148-12-0x0000000000000000-mapping.dmp

Download
memory/1276-13-0x0000000000000000-mapping.dmp

Download
memory/1392-5-0x0000000000000000-mapping.dmp

Download
memory/1508-23-0x0000000000000000-mapping.dmp

Download
memory/1952-20-0x0000000000000000-mapping.dmp

Download
memory/2120-21-0x0000000000000000-mapping.dmp

Download
memory/2184-19-0x0000000000000000-mapping.dmp

Download
memory/2208-27-0x0000000000000000-mapping.dmp

Download
memory/2264-10-0x0000000000000000-mapping.dmp

Download
memory/2284-29-0x0000000000000000-mapping.dmp

Download
memory/2372-3-0x0000000000000000-mapping.dmp

Download
memory/2560-16-0x0000000000000000-mapping.dmp

Download
memory/2596-11-0x0000000000000000-mapping.dmp

Download
memory/2640-26-0x0000000000000000-mapping.dmp

Download
memory/2668-15-0x0000000000000000-mapping.dmp

Download
memory/2824-8-0x0000000000000000-mapping.dmp

Download
memory/2880-28-0x0000000000000000-mapping.dmp

Download
memory/3132-17-0x0000000000000000-mapping.dmp

Download
memory/3268-2-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/3276-25-0x0000000000000000-mapping.dmp

Download
memory/3556-18-0x0000000000000000-mapping.dmp

Download
memory/3860-9-0x0000000000000000-mapping.dmp

Download
memory/3864-22-0x0000000000000000-mapping.dmp

Download
memory/3956-14-0x0000000000000000-mapping.dmp

Download
memory/4012-24-0x0000000000000000-mapping.dmp

Download
memory/4024-4-0x0000000000000000-mapping.dmp

Download