Overview
overview
10Static
static
10Endermanch...is.exe
windows7-x64
1Endermanch...is.exe
windows10-2004-x64
Endermanch...ug.exe
windows7-x64
6Endermanch...ug.exe
windows10-2004-x64
6Endermanch...ck.exe
windows7-x64
7Endermanch...ck.exe
windows10-2004-x64
7Endermanch...om.exe
windows7-x64
1Endermanch...om.exe
windows10-2004-x64
1Endermanch...le.exe
windows7-x64
1Endermanch...le.exe
windows10-2004-x64
1Endermanch...er.exe
windows7-x64
7Endermanch...er.exe
windows10-2004-x64
7Endermanch...er.exe
windows7-x64
7Endermanch...er.exe
windows10-2004-x64
7Endermanch...er.exe
windows7-x64
Endermanch...er.exe
windows10-2004-x64
Endermanch...us.exe
windows7-x64
1Endermanch...us.exe
windows10-2004-x64
1Endermanch....C.exe
windows7-x64
10Endermanch....C.exe
windows10-2004-x64
10Endermanch...rd.exe
windows7-x64
10Endermanch...rd.exe
windows10-2004-x64
9Endermanch...a2.exe
windows7-x64
1Endermanch...a2.exe
windows10-2004-x64
1Endermanch...19.exe
windows7-x64
7Endermanch...19.exe
windows10-2004-x64
7Endermanch...eg.exe
windows7-x64
7Endermanch...eg.exe
windows10-2004-x64
3Endermanch...1).exe
windows7-x64
3Endermanch...1).exe
windows10-2004-x64
3Endermanch...ld.exe
windows7-x64
3Endermanch...ld.exe
windows10-2004-x64
3Resubmissions
10-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10Analysis
-
max time kernel
17s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24-07-2023 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Endermanch@CleanThis.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Endermanch@CleanThis.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
Endermanch@ColorBug.exe
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
Endermanch@ColorBug.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
Endermanch@DeriaLock.exe
Resource
win7-20230712-en
Behavioral task
behavioral6
Sample
Endermanch@DeriaLock.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
Endermanch@Deskbottom.exe
Resource
win7-20230712-en
Behavioral task
behavioral8
Sample
Endermanch@Deskbottom.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
Endermanch@DesktopPuzzle.exe
Resource
win7-20230712-en
Behavioral task
behavioral10
Sample
Endermanch@DesktopPuzzle.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral11
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win7-20230712-en
Behavioral task
behavioral12
Sample
Endermanch@FakeAdwCleaner.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral13
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win7-20230712-en
Behavioral task
behavioral14
Sample
Endermanch@FreeYoutubeDownloader.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral15
Sample
Endermanch@HMBlocker.exe
Resource
win7-20230712-en
Behavioral task
behavioral16
Sample
Endermanch@HMBlocker.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral17
Sample
Endermanch@HappyAntivirus.exe
Resource
win7-20230712-en
Behavioral task
behavioral18
Sample
Endermanch@HappyAntivirus.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral19
Sample
Endermanch@Illerka.C.exe
Resource
win7-20230712-en
Behavioral task
behavioral20
Sample
Endermanch@Illerka.C.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral21
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win7-20230712-en
Behavioral task
behavioral22
Sample
Endermanch@InternetSecurityGuard.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral23
Sample
Endermanch@Koteyka2.exe
Resource
win7-20230712-en
Behavioral task
behavioral24
Sample
Endermanch@Koteyka2.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral25
Sample
Endermanch@LPS2019.exe
Resource
win7-20230712-en
Behavioral task
behavioral26
Sample
Endermanch@LPS2019.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral27
Sample
Endermanch@Movie.mpeg.exe
Resource
win7-20230712-en
Behavioral task
behavioral28
Sample
Endermanch@Movie.mpeg.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral29
Sample
Endermanch@NavaShield(1).exe
Resource
win7-20230712-en
Behavioral task
behavioral30
Sample
Endermanch@NavaShield(1).exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral31
Sample
Endermanch@NavaShield.exe
Resource
win7-20230712-en
Behavioral task
behavioral32
Sample
Endermanch@NavaShield.exe
Resource
win10v2004-20230703-en
Errors
General
-
Target
Endermanch@HMBlocker.exe
-
Size
48KB
-
MD5
21943d72b0f4c2b42f242ac2d3de784c
-
SHA1
c887b9d92c026a69217ca550568909609eec1c39
-
SHA256
2d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180
-
SHA512
04c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8
-
SSDEEP
768:xE09MOEzWGoOIx2qCZVZmj+Wg5VK2LDakrDZ5yS/wwHA49kszNAY1XKoJc4P1:t7w73bUNMMkrDry+6Ut
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral15/memory/2176-54-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral15/memory/2176-58-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\2503326475 = "C:\\Users\\Admin\\2503326475\\2503326475.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2503326475_del = "cmd /c del \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Endermanch@HMBlocker.exe\"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 2348 shutdown.exe Token: SeRemoteShutdownPrivilege 2348 shutdown.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Endermanch@HMBlocker.execmd.execmd.exedescription pid process target process PID 2176 wrote to memory of 2348 2176 Endermanch@HMBlocker.exe shutdown.exe PID 2176 wrote to memory of 2348 2176 Endermanch@HMBlocker.exe shutdown.exe PID 2176 wrote to memory of 2348 2176 Endermanch@HMBlocker.exe shutdown.exe PID 2176 wrote to memory of 2348 2176 Endermanch@HMBlocker.exe shutdown.exe PID 2176 wrote to memory of 1680 2176 Endermanch@HMBlocker.exe cmd.exe PID 2176 wrote to memory of 1680 2176 Endermanch@HMBlocker.exe cmd.exe PID 2176 wrote to memory of 1680 2176 Endermanch@HMBlocker.exe cmd.exe PID 2176 wrote to memory of 1680 2176 Endermanch@HMBlocker.exe cmd.exe PID 2176 wrote to memory of 1088 2176 Endermanch@HMBlocker.exe cmd.exe PID 2176 wrote to memory of 1088 2176 Endermanch@HMBlocker.exe cmd.exe PID 2176 wrote to memory of 1088 2176 Endermanch@HMBlocker.exe cmd.exe PID 2176 wrote to memory of 1088 2176 Endermanch@HMBlocker.exe cmd.exe PID 1680 wrote to memory of 2320 1680 cmd.exe reg.exe PID 1680 wrote to memory of 2320 1680 cmd.exe reg.exe PID 1680 wrote to memory of 2320 1680 cmd.exe reg.exe PID 1680 wrote to memory of 2320 1680 cmd.exe reg.exe PID 1088 wrote to memory of 1240 1088 cmd.exe reg.exe PID 1088 wrote to memory of 1240 1088 cmd.exe reg.exe PID 1088 wrote to memory of 1240 1088 cmd.exe reg.exe PID 1088 wrote to memory of 1240 1088 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@HMBlocker.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@HMBlocker.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 6 /f2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Endermanch@HMBlocker.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Endermanch@HMBlocker.exe\"" /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1732-59-0x0000000002A40000-0x0000000002A41000-memory.dmpFilesize
4KB
-
memory/2176-56-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2176-57-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2176-55-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2176-54-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2176-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2484-60-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB