Overview
overview
10Static
static
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
7ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
9ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
5ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10Resubmissions
24-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10Analysis
-
max time kernel
309s -
max time network
324s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 11:43
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@000.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Endermanch@7ev3n.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Endermanch@AnViPC2009.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Endermanch@Antivirus.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Endermanch@AntivirusPlatinum.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Endermanch@AntivirusPro2017.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Endermanch@BadRabbit.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Endermanch@Birele.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Endermanch@Cerber5.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Endermanch@CleanThis.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Endermanch@ColorBug.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Endermanch@DeriaLock.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Endermanch@Deskbottom.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Endermanch@DesktopPuzzle.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Endermanch@HMBlocker.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Endermanch@HappyAntivirus.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Endermanch@Illerka.C.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Endermanch@Koteyka2.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
Endermanch@LPS2019.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Endermanch@Movie.mpeg.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Endermanch@NavaShield.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
Endermanch@PCDefender.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Endermanch@PCDefenderv2.msi
Resource
win10v20201028
Behavioral task
behavioral28
Sample
Endermanch@PolyRansom.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Endermanch@PowerPoint.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
Endermanch@ProgramOverflow.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
Endermanch@RegistrySmart.exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Endermanch@SE2011.exe
Resource
win10v20201028
General
-
Target
Endermanch@InternetSecurityGuard.exe
-
Size
6.1MB
-
MD5
04155ed507699b4e37532e8371192c0b
-
SHA1
a14107131237dbb0df750e74281c462a2ea61016
-
SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
-
SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process File created C:\Windows\system32\drivers\etc\host_new Endermanch@InternetSecurityGuard.exe File created C:\Windows\System32\drivers\etc\hosts Endermanch@InternetSecurityGuard.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Endermanch@InternetSecurityGuard.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Endermanch@InternetSecurityGuard.exe -
Sets file execution options in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\727e2\\ISb29.exe\" /s /d" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Endermanch@InternetSecurityGuard.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ Endermanch@InternetSecurityGuard.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process File opened (read-only) \??\O: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\Q: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\R: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\S: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\T: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\W: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\J: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\K: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\Y: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\P: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\V: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\E: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\I: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\H: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\M: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\Z: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\F: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\G: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\U: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\X: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\L: Endermanch@InternetSecurityGuard.exe File opened (read-only) \??\N: Endermanch@InternetSecurityGuard.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process File opened for modification \??\PhysicalDrive0 Endermanch@InternetSecurityGuard.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\BrowserEmulation Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}" Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" Endermanch@InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\IIL = "0" Endermanch@InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\ltHI = "0" Endermanch@InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\ltTST = "42571" Endermanch@InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" Endermanch@InternetSecurityGuard.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\SearchScopes Endermanch@InternetSecurityGuard.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" Endermanch@InternetSecurityGuard.exe -
Modifies registry class 15 IoCs
Processes:
Endermanch@InternetSecurityGuard.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@InternetSecurityGuard.DocHostUIHandler\ = "Implements DocHostUIHandler" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@InternetSecurityGuard.DocHostUIHandler\Clsid Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@InternetSecurityGuard.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "Endermanch@InternetSecurityGuard.DocHostUIHandler" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft\Internet Explorer Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@InternetSecurityGuard.exe" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Endermanch@InternetSecurityGuard.DocHostUIHandler Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID Endermanch@InternetSecurityGuard.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" Endermanch@InternetSecurityGuard.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Software\Microsoft Endermanch@InternetSecurityGuard.exe -
Suspicious behavior: EnumeratesProcesses 1314 IoCs
Processes:
Endermanch@InternetSecurityGuard.exepid process 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mofcomp.exedescription pid process Token: SeSecurityPrivilege 2372 mofcomp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Endermanch@InternetSecurityGuard.exepid process 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Endermanch@InternetSecurityGuard.exepid process 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Endermanch@InternetSecurityGuard.exepid process 3268 Endermanch@InternetSecurityGuard.exe 3268 Endermanch@InternetSecurityGuard.exe -
Suspicious use of WriteProcessMemory 78 IoCs
Processes:
Endermanch@InternetSecurityGuard.exedescription pid process target process PID 3268 wrote to memory of 2372 3268 Endermanch@InternetSecurityGuard.exe mofcomp.exe PID 3268 wrote to memory of 2372 3268 Endermanch@InternetSecurityGuard.exe mofcomp.exe PID 3268 wrote to memory of 2372 3268 Endermanch@InternetSecurityGuard.exe mofcomp.exe PID 3268 wrote to memory of 4024 3268 Endermanch@InternetSecurityGuard.exe netsh.exe PID 3268 wrote to memory of 4024 3268 Endermanch@InternetSecurityGuard.exe netsh.exe PID 3268 wrote to memory of 4024 3268 Endermanch@InternetSecurityGuard.exe netsh.exe PID 3268 wrote to memory of 1392 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1392 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1392 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 748 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 748 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 748 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2824 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2824 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2824 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3860 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3860 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3860 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2264 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2264 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2264 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2596 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2596 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2596 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1148 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1148 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1148 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1276 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1276 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1276 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3956 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3956 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3956 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2668 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2668 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2668 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2560 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2560 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2560 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3132 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3132 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3132 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3556 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3556 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3556 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2184 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2184 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2184 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1952 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1952 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1952 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2120 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2120 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 2120 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3864 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3864 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3864 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1508 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1508 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 1508 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 4012 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 4012 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 4012 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe PID 3268 wrote to memory of 3276 3268 Endermanch@InternetSecurityGuard.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\AppData\Local\Temp\623.mof"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe" "Internet Security Guard" ENABLE2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.com 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.net 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.com 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.net 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.com 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.net 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.com 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt giluxdfi930jpvz.net 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.com 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.net 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.com 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.net 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.com 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.net 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.com 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt fgowwde765eehmo.net 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.com 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.net 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.com 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.net 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.com 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.net 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.com 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt deeem465uaahims.net 208.67.220.2202⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\623.mofMD5
3754f8f8abad5bad797085d0717a9766
SHA148d92f36cb721b390e216aa03b27b41f25c563fc
SHA2563c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927
SHA512c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985
-
memory/748-7-0x0000000000000000-mapping.dmp
-
memory/1148-12-0x0000000000000000-mapping.dmp
-
memory/1276-13-0x0000000000000000-mapping.dmp
-
memory/1392-5-0x0000000000000000-mapping.dmp
-
memory/1508-23-0x0000000000000000-mapping.dmp
-
memory/1952-20-0x0000000000000000-mapping.dmp
-
memory/2120-21-0x0000000000000000-mapping.dmp
-
memory/2184-19-0x0000000000000000-mapping.dmp
-
memory/2208-27-0x0000000000000000-mapping.dmp
-
memory/2264-10-0x0000000000000000-mapping.dmp
-
memory/2284-29-0x0000000000000000-mapping.dmp
-
memory/2372-3-0x0000000000000000-mapping.dmp
-
memory/2560-16-0x0000000000000000-mapping.dmp
-
memory/2596-11-0x0000000000000000-mapping.dmp
-
memory/2640-26-0x0000000000000000-mapping.dmp
-
memory/2668-15-0x0000000000000000-mapping.dmp
-
memory/2824-8-0x0000000000000000-mapping.dmp
-
memory/2880-28-0x0000000000000000-mapping.dmp
-
memory/3132-17-0x0000000000000000-mapping.dmp
-
memory/3268-2-0x0000000002150000-0x0000000002151000-memory.dmpFilesize
4KB
-
memory/3276-25-0x0000000000000000-mapping.dmp
-
memory/3556-18-0x0000000000000000-mapping.dmp
-
memory/3860-9-0x0000000000000000-mapping.dmp
-
memory/3864-22-0x0000000000000000-mapping.dmp
-
memory/3956-14-0x0000000000000000-mapping.dmp
-
memory/4012-24-0x0000000000000000-mapping.dmp
-
memory/4024-4-0x0000000000000000-mapping.dmp