Overview

overview

7

Static

static

1

Endermanch@MEMZ.exe

windows7-x64

6

Endermanch@MEMZ.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1048s
  • max time network
    886s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    01-04-2023 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Endermanch@MEMZ.exe

  • Size

    14KB

  • MD5

    19dbec50735b5f2a72d4199c4e184960

  • SHA1

    6fed7732f7cb6f59743795b2ab154a3676f4c822

  • SHA256

    a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

  • SHA512

    aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

  • SSDEEP

    192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
    "C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:940
    • C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1440
    • C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2020
    • C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:596
    • C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1492
    • C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
      "C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:636
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:320
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1484
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x508
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:564

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
      Filesize

      579B

      MD5

      f55da450a5fb287e1e0f0dcc965756ca

      SHA1

      7e04de896a3e666d00e687d33ffad93be83d349e

      SHA256

      31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

      SHA512

      19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      e71c8443ae0bc2e282c73faead0a6dd3

      SHA1

      0c110c1b01e68edfacaeae64781a37b1995fa94b

      SHA256

      95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

      SHA512

      b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      e71c8443ae0bc2e282c73faead0a6dd3

      SHA1

      0c110c1b01e68edfacaeae64781a37b1995fa94b

      SHA256

      95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

      SHA512

      b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
      Filesize

      252B

      MD5

      91a2ca672aeaa9325452228160f730ef

      SHA1

      7eacbd655a5af803690b6fc9b6757496b9ad0eaf

      SHA256

      3d67db21a892b2ea7b9558659f7eb7995a5a93fa967a90eae4bd7f6bb94fc8e2

      SHA512

      db52ef06cee6ab85001f82962e8d0f63bb1f5ad17ceff3e4daafbf4e8c9999405a5816020435a7edb11c29699419515135c75c8d6884fc52d19ae0be4b2522fb

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1340d32840db82340d2729e17998e305

      SHA1

      8e9fc6150fd7291844dbaffece6d24ade6fb70b9

      SHA256

      23deb1cc13b9a4014a3f3d116b5f5dd87378645edfc23acce89b5b8d7c841904

      SHA512

      c026735bb9ab02d5112c5db3870f1b763ea96d96df0fb798490dee95be096e695bf8f52b9a78282f0092e6188685170532942bb03194946f3c2db9b764590622

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      166407ccda934447202f132e8ecd1901

      SHA1

      a7d807ebf3590f87a8eba1ac57fe489a10170b15

      SHA256

      326f7db3d20f6aa86ce217c484de40a275c30b40f029e56c18307ab91417ec36

      SHA512

      de19483cd72d3f6a61f66496b2cff2147f2938e0dd37ed73bdb32eca0a0af7b80d57e28ebc0d14e9d55ffb6289153aaf5820d60e89eab0fefefaee193c670ea6

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4d4e0073246b987634cf66e895aa5881

      SHA1

      6ac57de9b358feb2d9952292b16c53ab6f664aae

      SHA256

      8b2da6ed831055ee0830ae93e18d627b1e777eb540ebfa452225d5410d31674a

      SHA512

      82cf2c4c37f8181b6a5ef25903b780aee4547caabc0035a8e63a75aab08335ed93b95edcb17b2e1adf365502699556ea35e261f685bac8a82c308eb8c96e7f45

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d95c7a8892ba747e9acc16a3a7139a55

      SHA1

      7451a1dcb3c1f3adeb2405bb6ca47877809be003

      SHA256

      f22f159972bd1cb79f7b6cf20fcbaeb6bce31462fc892ede2b92bcc7cf2f0947

      SHA512

      f536e6dd6ff7b6043215e28f8b55a415fcc22e713a54b35d1ad9ec801687f673bca9fd9d9a9124b7b60661af84dc2d51e950ad2fa25a386109b12ec24751aa51

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      555371be6582ee31f89ab3d4da250b26

      SHA1

      e3e16c15c96fedfc88e60e49d731d4f4a6848e95

      SHA256

      f5d82d289380f81b7ec526d20bba86d3aaf513f18ce1fb258838c7ca3952324b

      SHA512

      e59bc57f8c5c5a517a9eec936fa2ed3c64d77743c43db18ba980f437428c35e25348226d51dffbc1aee64efd200fe5f7e90cdaf1b53a1944a94c4c48fe9d287a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      cc1dd30be090988c0f5af23bc31581fe

      SHA1

      6b74937f1df588eb5ca2a5a42b837d17020acb96

      SHA256

      00296feb97789d0e334c938c181b2449ffa9514cf7ffed8b8b9cf46482e65bd8

      SHA512

      9c000e5d897d35bf1c45f084c397cbcea7fc023df51bd095442be7894f54f7f72a13c4cb5419cabe26dce949840b6c68c2a229951d0429a87525732a0f0c1005

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3e918c22cd67b90a280a5dac531ab8a1

      SHA1

      2ebe22a98fbcd27ab3f719699e4f2d2d8afb8246

      SHA256

      170f7ae1916a4d37ec7ff37ac7db06b0ef70d1deba273c0f19d7b215f0185e3c

      SHA512

      2eefdb49771b6248fffdb46d37dc1b7fcd084593a0d5532c96a4068c55060d4d226f5a01389de6af67489d4b5de1e0591c70e6fa4242604726a893f073844625

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      27b36f24ef9367ce287a6f67a7c546e3

      SHA1

      b693945002f1ba26f9819a5ed71bb454c59910cc

      SHA256

      76ad8107abcf66829a1f709d85375ac34a5c46acd6fe3e9d42caae41c7523a2a

      SHA512

      fc8ceb2619a5551e14116c36714702f6f7ea8282d6f44a116dedc78502ddcefdc1e0bd4f44ef0b62dcd40a3a85ca47dbca03062b8a0b7279625919c2e304c616

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f3a234e48af0bb5176852ce5168afc63

      SHA1

      4c514f0f783b3bcb2bd74eaeb7a9356bec5f0a15

      SHA256

      c349e9c3113f63f348a0d79f879da4f5017e0f3f63c998fc4d7381ebd07365ba

      SHA512

      ff0a3b36643a9515c149c879e91c450fada8de91bf3eac70c9504bb46f92339fc778505f01e91861362553ad87042a3a708a4efead25d66bef39af92592d7ea7

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2332a32fcccd4dc5e4848b0fceca8f75

      SHA1

      f119da052f51ae81b51b3dbe1d8d8555fa30452d

      SHA256

      49ff78083945cb35660100417367489b4aa9d434a22cbff4cf8173cfc56ac014

      SHA512

      d375173c034992df757097b59c4a87b3bbe38ad475135f49f8e082051633a3e54783a38f9543899d664fb0f8874d0b009e37069772a17a0400e69ad40466ea2d

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      2c9e94b18e9f546247731876df79d4dc

      SHA1

      6bf6d153366d7fd8d866bf30478950221cd4e886

      SHA256

      330df873141ddd8aa215d7ab1d72c15260b9b1c3bd93d00e58b7e6f10764ad68

      SHA512

      259da1966ff4cb266944339f56cf87219c633293e75f1cf6b78aada790214dfaec7d47ae2e0f35a5b951e2058bfbd4cb295db26f4665fd412f88571bcec82991

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ONXID7T\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarE48D.tmp
      Filesize

      161KB

      MD5

      be2bec6e8c5653136d3e72fe53c98aa3

      SHA1

      a8182d6db17c14671c3d5766c72e58d87c0810de

      SHA256

      1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

      SHA512

      0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R73DROD9.txt
      Filesize

      608B

      MD5

      4c6a3614d6080be28ecd378a2ffa29a1

      SHA1

      8ceed73c4d985c534d3b501a6108f5e1edb756c4

      SHA256

      cda1bb2b6e579beecc929d112ff8b03591b330eae304ac3c690ab1d15fe1a7a4

      SHA512

      88473461ec9dfe4e222a3e0b5274fbfa1aa3e8ac28319f6b1e3d5b49942c36e29c0492ef924e82eb86e2194c28c29024bf7a78f648fbfd8b79f9f5c04f45f331

      Download Submit
    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit