Overview

overview

10

Static

static

1

Endermanch...pt.exe

windows7-x64

10

Endermanch...pt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-04-2023 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    211KB

  • MD5

    b805db8f6a84475ef76b795b0d1ed6ae

  • SHA1

    7711cb4873e58b7adcf2a2b047b090e78d10c75b

  • SHA256

    f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

  • SHA512

    62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

  • SSDEEP

    1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score
10/10
infinitylockransomware

Malware Config

Signatures

  • InfinityLock Ransomware

    Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.

    ransomwareinfinitylock
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:2024
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1684
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4D12DC56D757225981D4A3D9997D18E8
      2⤵
      • Loads dropped DLL
      PID:552
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WaitOut.vstx
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840
    Filesize

    352B

    MD5

    9d40b3158cf30298b7b2eb02e24ae73b

    SHA1

    aa231daf738baecb41140bc1d1cacf140f1249e0

    SHA256

    92bbb320f8ba429832dddebdb291c4962fe687ea11c19ce2550e93628bdb4755

    SHA512

    ef47f36065729a335a491a3d3354e9fc9353a308d071e2118b1c1ca6f9e18756f06c329772ae75424e16daad1b6864416a9eb68f860b19ea2caf8b77a76d7ce8

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840
    Filesize

    224B

    MD5

    b3eb0315ac7d723366280e3c817fc9c7

    SHA1

    e3469c9f4749ddf44371439cb8df110a657325b3

    SHA256

    0f31f72fe5e665466ab32e90650e5ff580226da5a99b866920dbe37d1185a596

    SHA512

    568c72c94ba0800cffebab8eae1a8b3f6f649e0736d1546ebf4e4927a9774d7cb4d0afdcde2a814165178eab145e1efecaf28b7d8b936d7d42941720f68e326f

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840
    Filesize

    128B

    MD5

    aed29810b8149cf8cb54f65b2d2defc0

    SHA1

    3e19bedd69c0c920a25d4252f647fe0a8296731a

    SHA256

    33231cd9feb811a022ecf602e7624d86fe4e592e8067df80ef02a2cb03470119

    SHA512

    00c3f052eb0b8f69bec27f7afc7b7dd00bdeadbc35e0a08669246a09b93244fba3deddeb3aa9d87c058b2d47938a7321b0529aefde274dac0c21f4d8ab17f80a

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840
    Filesize

    128B

    MD5

    2002a72e32f9f66ac88e25461511d863

    SHA1

    ace3e9a8b38f9f3a0ddd4e4bd00321f14e0a443e

    SHA256

    f2bf5b65f21d827ed0f1fe16d2d49dcfcc463dcf9ff51e194c8f63faa7ee28ab

    SHA512

    4a0669438ebbc96d3653501e3e77903298e31ee00018c2a9ff1ce8cdc7588ef2b9050117d52c6225936cb47c84b1b6dde7f44c25cbeaeecf75fd5833af6098cb

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840
    Filesize

    192B

    MD5

    d1c0b817bc4453799130da2414d5585d

    SHA1

    d393a8ca6575cf7c23a0bb89d5a856c7d485958f

    SHA256

    80c8aa9074281554ace1f23f9da0821e87d18db058ab07bcb7119762a16b0ecf

    SHA512

    d2ff8549fd606e0d96cc0fe23f5c10df3969c4344676b17ba9515619318c26430fe05d5d7366ba563ef84e1a5fd2d3f3de006ebdd7c5c10d90cfbfe9eeac8710

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840
    Filesize

    512B

    MD5

    e485c4623bec614bce9db3dac7bdf96d

    SHA1

    9386827802a14a35786bcde8f42548113e0bb140

    SHA256

    23813bf8d5c4c39751a3716b46756f26a748d05a13ca223c1cb92c37d0541f0a

    SHA512

    b7a9bd746798870fb5f394ff7fbab7f5928c5d7cc433311f30aa616566de3eaaa8fb5b73c8c26563238cb1fa52df92f754311007a1293611b8a6cb57d983f7af

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840
    Filesize

    1KB

    MD5

    d68cec43608ab159c56dfac81df97827

    SHA1

    8f55ada86528007b5696df1469a863fc52d54315

    SHA256

    66e1ae2be3bd64a930d1599ee429caada086ac0d4751cd612a734f1680c36fdf

    SHA512

    fd5dfbef7b60096a25993f5c14acac5b399a57d2a8b41fbc4977ef9eb5a8d9a591da52306bc21d61827c8b89d752ecb3181f9dd02831c10ee10798fb6985a56c

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.8B7D586146700DBFA79C122C40DDFEDC5E150DA022D9127A1F41BEB4397BA840
    Filesize

    816B

    MD5

    29e060c99e30c08e7b126b3098681fcb

    SHA1

    1bbd2795382cab676bd91f5779b0a9eb3ea83b73

    SHA256

    fe649cd6beeee0299f54015b8c8bb2ee29a79adfcf1f425feef607b17a80d360

    SHA512

    878ad63f587a6d2ee0fcf15b534ca7766ff425eabc0216c9c6be22ed0b99d72922fab0c75cf623ac5a9bd920ce6211501ea7cd24bc6411f1b9ada9f3261c0203

    Download Submit

  • C:\Windows\Installer\MSI5B6A.tmp
    Filesize

    257KB

    MD5

    d1f5ce6b23351677e54a245f46a9f8d2

    SHA1

    0d5c6749401248284767f16df92b726e727718ca

    SHA256

    57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

    SHA512

    960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

    Download Submit

  • C:\Windows\Installer\MSI5F22.tmp
    Filesize

    257KB

    MD5

    d1f5ce6b23351677e54a245f46a9f8d2

    SHA1

    0d5c6749401248284767f16df92b726e727718ca

    SHA256

    57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

    SHA512

    960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

    Download Submit

  • C:\Windows\Installer\MSI5FB0.tmp
    Filesize

    19KB

    MD5

    9cadbfa797783ff9e7fc60301de9e1ff

    SHA1

    83bde6d6b75dfc88d3418ec1a2e935872b8864bb

    SHA256

    c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141

    SHA512

    095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b

    Download Submit

  • C:\Windows\Installer\MSI5FD0.tmp
    Filesize

    363KB

    MD5

    4a843a97ae51c310b573a02ffd2a0e8e

    SHA1

    063fa914ccb07249123c0d5f4595935487635b20

    SHA256

    727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

    SHA512

    905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

    Download Submit

  • C:\Windows\Installer\MSI602F.tmp
    Filesize

    363KB

    MD5

    4a843a97ae51c310b573a02ffd2a0e8e

    SHA1

    063fa914ccb07249123c0d5f4595935487635b20

    SHA256

    727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

    SHA512

    905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

    Download Submit

  • C:\Windows\Installer\MSI6129.tmp
    Filesize

    257KB

    MD5

    d1f5ce6b23351677e54a245f46a9f8d2

    SHA1

    0d5c6749401248284767f16df92b726e727718ca

    SHA256

    57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

    SHA512

    960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

    Download Submit

  • C:\Windows\Installer\MSI6129.tmp
    Filesize

    257KB

    MD5

    d1f5ce6b23351677e54a245f46a9f8d2

    SHA1

    0d5c6749401248284767f16df92b726e727718ca

    SHA256

    57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

    SHA512

    960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

    Download Submit

  • C:\Windows\Installer\MSI61A7.tmp
    Filesize

    85KB

    MD5

    5577a98daef4ba33e900a3e3108d6cc1

    SHA1

    5af817186ab0376a0433686be470ea2b48c74f5f

    SHA256

    148199b4f3b6b2030e2aeb63a66e8e333e692d38691bcbe39139cf02bb61b31d

    SHA512

    d37d511975b5331a5b1cdda736890c7d4f2dcba4abac2b9399c977bdb7e09c964327e3f771cd592e2632b0e776545c490f29fd391ec13c7948557957cd805dd5

    Download Submit

  • \Windows\Installer\MSI5B6A.tmp
    Filesize

    257KB

    MD5

    d1f5ce6b23351677e54a245f46a9f8d2

    SHA1

    0d5c6749401248284767f16df92b726e727718ca

    SHA256

    57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

    SHA512

    960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

    Download Submit

  • \Windows\Installer\MSI5F22.tmp
    Filesize

    257KB

    MD5

    d1f5ce6b23351677e54a245f46a9f8d2

    SHA1

    0d5c6749401248284767f16df92b726e727718ca

    SHA256

    57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

    SHA512

    960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

    Download Submit

  • \Windows\Installer\MSI5FB0.tmp
    Filesize

    19KB

    MD5

    9cadbfa797783ff9e7fc60301de9e1ff

    SHA1

    83bde6d6b75dfc88d3418ec1a2e935872b8864bb

    SHA256

    c1eda5c42be64cfc08408a276340c9082f424ec1a4e96e78f85e9f80d0634141

    SHA512

    095963d9e01d46dae7908e3de6f115d7a0eebb114a5ec6e4e9312dbc22ba5baa268f5acece328066c9456172e90a95e097a35b9ed61589ce9684762e38f1385b

    Download Submit

  • \Windows\Installer\MSI5FD0.tmp
    Filesize

    363KB

    MD5

    4a843a97ae51c310b573a02ffd2a0e8e

    SHA1

    063fa914ccb07249123c0d5f4595935487635b20

    SHA256

    727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

    SHA512

    905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

    Download Submit

  • \Windows\Installer\MSI602F.tmp
    Filesize

    363KB

    MD5

    4a843a97ae51c310b573a02ffd2a0e8e

    SHA1

    063fa914ccb07249123c0d5f4595935487635b20

    SHA256

    727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

    SHA512

    905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

    Download Submit

  • \Windows\Installer\MSI6129.tmp
    Filesize

    257KB

    MD5

    d1f5ce6b23351677e54a245f46a9f8d2

    SHA1

    0d5c6749401248284767f16df92b726e727718ca

    SHA256

    57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

    SHA512

    960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

    Download Submit

  • \Windows\Installer\MSI61A7.tmp
    Filesize

    85KB

    MD5

    5577a98daef4ba33e900a3e3108d6cc1

    SHA1

    5af817186ab0376a0433686be470ea2b48c74f5f

    SHA256

    148199b4f3b6b2030e2aeb63a66e8e333e692d38691bcbe39139cf02bb61b31d

    SHA512

    d37d511975b5331a5b1cdda736890c7d4f2dcba4abac2b9399c977bdb7e09c964327e3f771cd592e2632b0e776545c490f29fd391ec13c7948557957cd805dd5

    Download Submit

  • memory/1684-3329-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/1684-3338-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2024-613-0x0000000004BF0000-0x0000000004C30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2024-54-0x0000000000130000-0x000000000016C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2024-55-0x0000000004BF0000-0x0000000004C30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2024-5412-0x0000000004BF0000-0x0000000004C30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2024-5414-0x0000000004BF0000-0x0000000004C30000-memory.dmp

    Filesize

    256KB

    Download