Overview

overview

10

Static

static

10

ฺฺฺà...ฺฺ

windows10_x64

ฺฺฺà...ฺฺ

windows10_x64

ฺฺฺà...ฺฺ

windows10_x64

8

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

7

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

1

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

8

ฺฺฺà...ฺฺ

windows10_x64

1

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

8

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

9

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

8

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

5

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

8

ฺฺฺà...ฺฺ

windows10_x64

10

Resubmissions

24-08-2023 11:16

230824-nda8msdf8z 10

05-08-2023 22:52

230805-2tn2bsfa82 10

24-07-2023 06:25

230724-g6s6laag35 10

22-07-2023 15:57

230722-tee6wabg5w 10

20-07-2023 23:19

230720-3bb5gsbf5v 10

20-07-2023 23:06

230720-23f23sba63 10

03-02-2021 11:43

210203-6bgge2nfan 10

22-11-2020 06:42

201122-6x1at779dj 10

Analysis

  • max time kernel
    305s
  • max time network
    317s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-02-2021 11:43

General

  • Target

    Endermanch@AntivirusPlatinum.exe

  • Size

    739KB

  • MD5

    382430dd7eae8945921b7feab37ed36b

  • SHA1

    c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

  • SHA256

    70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

  • SHA512

    26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

Malware Config

Signatures

  • Windows security bypass 2 TTPs
  • Disables RegEdit via registry modification
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Drops file in Windows directory 10 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 2283 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe
    "C:\Users\Admin\AppData\Local\Temp\Endermanch@AntivirusPlatinum.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\WINDOWS\302746537.exe
      "C:\WINDOWS\302746537.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B0C7.tmp\302746537.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s c:\windows\comctl32.ocx
          4⤵
          • Modifies registry class
          PID:972
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s c:\windows\mscomctl.ocx
          4⤵
          • Modifies registry class
          PID:808
        • \??\c:\windows\antivirus-platinum.exe
          c:\windows\antivirus-platinum.exe
          4⤵
          • Executes dropped EXE
          • Windows security modification
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:744
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h c:\windows\antivirus-platinum.exe
          4⤵
          • Drops file in Windows directory
          • Views/modifies file attributes
          PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

1
T1158

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

5
T1112

Hidden Files and Directories

1
T1158

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\B0C7.tmp\302746537.bat
    MD5

    7d8beb22dfcfacbbc2609f88a41c1458

    SHA1

    52ec2b10489736b963d39a9f84b66bafbf15685f

    SHA256

    4aa9ed4b38514f117e6e4f326cb0a1be7f7b96199e21305e2bd6dce289d7baa2

    SHA512

    a26cf9168cf7450435a9fe8942445511f6fda1087db52bd73e335d6f5b544fc892999019d9291d9dcc60c3656de49688f6d63282c97706e2db286f988e44fd94

  • C:\WINDOWS\302746537.exe
    MD5

    8703ff2e53c6fd3bc91294ef9204baca

    SHA1

    3dbb8f7f5dfe6b235486ab867a2844b1c2143733

    SHA256

    3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

    SHA512

    d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

  • C:\Windows\302746537.exe
    MD5

    8703ff2e53c6fd3bc91294ef9204baca

    SHA1

    3dbb8f7f5dfe6b235486ab867a2844b1c2143733

    SHA256

    3028a2b0e95143a4caa9bcd6ae794958e7469a20c6e673da067958cbf4310035

    SHA512

    d5eb8a07457a78f9acd0f81d2f58bbf64b52183318b87c353a590cd2a3ac3a6ec9c1452bd52306c7cf99f19b6a897b16ceb8289a7d008c5ce3b07eda9b871204

  • C:\Windows\antivirus-platinum.exe
    MD5

    cd1800322ccfc425014a8394b01a4b3d

    SHA1

    171073975effde1c712dfd86309457fd457aed33

    SHA256

    8115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0

    SHA512

    92c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6

  • \??\c:\windows\antivirus-platinum.exe
    MD5

    cd1800322ccfc425014a8394b01a4b3d

    SHA1

    171073975effde1c712dfd86309457fd457aed33

    SHA256

    8115de4ad0b7e589852f521eb4260c127f8afeaa3b0021bfc98e4928a4929ac0

    SHA512

    92c22c025fd3a61979fa718bf2e89a86e51bf7e69c421a9534fbf9c2d5b23b7a9224d0e9f3e0501992038837015214d1ef73b532a68b7d19de559c9ab9c6e5f6

  • \??\c:\windows\comctl32.ocx
    MD5

    821511549e2aaf29889c7b812674d59b

    SHA1

    3b2fd80f634a3d62277e0508bedca9aae0c5a0d6

    SHA256

    f59cdf89f0f522ce3662e09fa847bca9b277b006c415dcc0029b416c347db9c4

    SHA512

    8b2e805b916e5fbfcccb0f4189372aea006789b3847b51018075187135e9b5db9098f704c1932623f356db0ee327e1539a9bf3729947e92844a26db46555e8cd

  • \??\c:\windows\mscomctl.ocx
    MD5

    714cf24fc19a20ae0dc701b48ded2cf6

    SHA1

    d904d2fa7639c38ffb6e69f1ef779ca1001b8c18

    SHA256

    09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712

    SHA512

    d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1

  • memory/636-2-0x0000000000000000-mapping.dmp
  • memory/744-11-0x0000000000000000-mapping.dmp
  • memory/808-9-0x0000000000000000-mapping.dmp
  • memory/972-7-0x0000000000000000-mapping.dmp
  • memory/2824-5-0x0000000000000000-mapping.dmp
  • memory/2968-14-0x0000000000000000-mapping.dmp