Overview
overview
10Static
static
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
7ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
9ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
5ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10Resubmissions
24-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10Analysis
-
max time kernel
247s -
max time network
265s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 11:43
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@000.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Endermanch@7ev3n.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Endermanch@AnViPC2009.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Endermanch@Antivirus.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Endermanch@AntivirusPlatinum.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Endermanch@AntivirusPro2017.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Endermanch@BadRabbit.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
Endermanch@Birele.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Endermanch@Cerber5.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
Endermanch@CleanThis.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Endermanch@ColorBug.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Endermanch@DeriaLock.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Endermanch@Deskbottom.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Endermanch@DesktopPuzzle.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Endermanch@HMBlocker.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
Endermanch@HappyAntivirus.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Endermanch@Illerka.C.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Endermanch@Koteyka2.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
Endermanch@LPS2019.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Endermanch@Movie.mpeg.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Endermanch@NavaShield.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
Endermanch@PCDefender.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
Endermanch@PCDefenderv2.msi
Resource
win10v20201028
Behavioral task
behavioral28
Sample
Endermanch@PolyRansom.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Endermanch@PowerPoint.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
Endermanch@ProgramOverflow.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
Endermanch@RegistrySmart.exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Endermanch@SE2011.exe
Resource
win10v20201028
General
-
Target
Endermanch@AnViPC2009.exe
-
Size
1.2MB
-
MD5
910dd666c83efd3496f21f9f211cdc1f
-
SHA1
77cd736ee1697beda0ac65da24455ec566ba7440
-
SHA256
06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45
-
SHA512
467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
avpc2009.exepid process 3516 avpc2009.exe -
Loads dropped DLL 3 IoCs
Processes:
avpc2009.exepid process 3516 avpc2009.exe 3516 avpc2009.exe 3516 avpc2009.exe -
JavaScript code in executable 2 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\antiviruspc2009\avpc2009.exe js C:\Program Files (x86)\antiviruspc2009\avpc2009.exe js -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Drops file in Program Files directory 10 IoCs
Processes:
Endermanch@AnViPC2009.exedescription ioc process File opened for modification C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll Endermanch@AnViPC2009.exe File opened for modification C:\Program Files (x86)\antiviruspc2009\bzip2.dll Endermanch@AnViPC2009.exe File opened for modification C:\Program Files (x86)\antiviruspc2009\avpc2009.exe Endermanch@AnViPC2009.exe File opened for modification C:\Program Files (x86)\antiviruspc2009 Endermanch@AnViPC2009.exe File created C:\Program Files (x86)\antiviruspc2009\__tmp_rar_sfx_access_check_259299687 Endermanch@AnViPC2009.exe File created C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll Endermanch@AnViPC2009.exe File opened for modification C:\Program Files (x86)\antiviruspc2009\libltdl3.dll Endermanch@AnViPC2009.exe File created C:\Program Files (x86)\antiviruspc2009\bzip2.dll Endermanch@AnViPC2009.exe File created C:\Program Files (x86)\antiviruspc2009\avpc2009.exe Endermanch@AnViPC2009.exe File created C:\Program Files (x86)\antiviruspc2009\libltdl3.dll Endermanch@AnViPC2009.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
avpc2009.exepid process 3516 avpc2009.exe 3516 avpc2009.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
avpc2009.exepid process 3516 avpc2009.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
avpc2009.exepid process 3516 avpc2009.exe 3516 avpc2009.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Endermanch@AnViPC2009.exedescription pid process target process PID 1096 wrote to memory of 3516 1096 Endermanch@AnViPC2009.exe avpc2009.exe PID 1096 wrote to memory of 3516 1096 Endermanch@AnViPC2009.exe avpc2009.exe PID 1096 wrote to memory of 3516 1096 Endermanch@AnViPC2009.exe avpc2009.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@AnViPC2009.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\antiviruspc2009\avpc2009.exeMD5
c18a7323332b3292a8e0f1c81df65698
SHA1bcb8f34cbe0137e888d06acbcb6508417851a087
SHA2569c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA5124d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad
-
C:\Program Files (x86)\antiviruspc2009\avpc2009.exeMD5
c18a7323332b3292a8e0f1c81df65698
SHA1bcb8f34cbe0137e888d06acbcb6508417851a087
SHA2569c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8
SHA5124d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad
-
C:\Program Files (x86)\antiviruspc2009\bzip2.dllMD5
4143d4973e0f5a5180e114bdd868d4d2
SHA1b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc
-
C:\Program Files (x86)\antiviruspc2009\libltdl3.dllMD5
00a71b4afda8033235432b1c433fecc7
SHA1d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA51296635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a
-
C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dllMD5
0ab7d0e87f3843f8104b3670f5a9af62
SHA110c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA2568aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375
-
\Program Files (x86)\antiviruspc2009\bzip2.dllMD5
4143d4973e0f5a5180e114bdd868d4d2
SHA1b47fd2cf9db0f37c04e4425085fb953cbce81478
SHA256da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76
SHA512e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc
-
\Program Files (x86)\antiviruspc2009\libltdl3.dllMD5
00a71b4afda8033235432b1c433fecc7
SHA1d7b0c218aa8fec1c60ada26a09d9e0d9601985ca
SHA256f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd
SHA51296635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a
-
\Program Files (x86)\antiviruspc2009\pthreadVC2.dllMD5
0ab7d0e87f3843f8104b3670f5a9af62
SHA110c09a12e318f0fbebf70c4c42ad6ee31d9df2e5
SHA2568aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b
SHA512e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375
-
memory/3516-2-0x0000000000000000-mapping.dmp