f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Target

Endermanch@Birele.exe
Size

116KB
MD5

41789c704a0eecfdd0048b4b4193e752
SHA1

fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256

b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA512

76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Endermanch@Birele.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Birele.exe"	Endermanch@Birele.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral8/memory/2612-4-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Endermanch@Birele.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	Endermanch@Birele.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@Birele.exe"	Endermanch@Birele.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1920 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1920 taskkill.exe

pid	process
1920	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1920	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Endermanch@Birele.exe

description	pid	process	target process
PID 2612 wrote to memory of 1920	2612	Endermanch@Birele.exe	taskkill.exe
PID 2612 wrote to memory of 1920	2612	Endermanch@Birele.exe	taskkill.exe
PID 2612 wrote to memory of 1920	2612	Endermanch@Birele.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@Birele.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM explorer.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1920-3-0x0000000000000000-mapping.dmp

Download
memory/2612-2-0x0000000002010000-0x0000000002016000-memory.dmp

Filesize
24KB

Download
memory/2612-4-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download