Overview
overview
10Static
static
10Endermanch...is.exe
windows7-x64
1Endermanch...is.exe
windows10-2004-x64
Endermanch...ug.exe
windows7-x64
6Endermanch...ug.exe
windows10-2004-x64
6Endermanch...ck.exe
windows7-x64
7Endermanch...ck.exe
windows10-2004-x64
7Endermanch...om.exe
windows7-x64
1Endermanch...om.exe
windows10-2004-x64
1Endermanch...le.exe
windows7-x64
1Endermanch...le.exe
windows10-2004-x64
1Endermanch...er.exe
windows7-x64
7Endermanch...er.exe
windows10-2004-x64
7Endermanch...er.exe
windows7-x64
7Endermanch...er.exe
windows10-2004-x64
7Endermanch...er.exe
windows7-x64
Endermanch...er.exe
windows10-2004-x64
Endermanch...us.exe
windows7-x64
1Endermanch...us.exe
windows10-2004-x64
1Endermanch....C.exe
windows7-x64
10Endermanch....C.exe
windows10-2004-x64
10Endermanch...rd.exe
windows7-x64
10Endermanch...rd.exe
windows10-2004-x64
9Endermanch...a2.exe
windows7-x64
1Endermanch...a2.exe
windows10-2004-x64
1Endermanch...19.exe
windows7-x64
7Endermanch...19.exe
windows10-2004-x64
7Endermanch...eg.exe
windows7-x64
7Endermanch...eg.exe
windows10-2004-x64
3Endermanch...1).exe
windows7-x64
3Endermanch...1).exe
windows10-2004-x64
3Endermanch...ld.exe
windows7-x64
3Endermanch...ld.exe
windows10-2004-x64
3Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24-07-2023 06:25
Static task
static1
Behavioral task
behavioral29
Sample
Endermanch@NavaShield(1).exe
Resource
win7-20230712-en
Behavioral task
behavioral30
Sample
Endermanch@NavaShield(1).exe
Resource
win10v2004-20230703-en
General
-
Target
-
Size
6.1MB
-
MD5
04155ed507699b4e37532e8371192c0b
-
SHA1
a14107131237dbb0df750e74281c462a2ea61016
-
SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
-
SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
SSDEEP
98304:hvOOFJ+Z8eAgy7SH9s76RSvyqJOBgECfMfYv+85JH0DVczt8A:hvOOFJ+ggr9s76R+wcMAv+IHCczt8
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" [email protected] -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest [email protected] -
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts [email protected] File opened for modification C:\Windows\System32\drivers\etc\hosts [email protected] File created C:\Windows\system32\drivers\etc\host_new [email protected] File created C:\Windows\System32\drivers\etc\hosts [email protected] -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\ [email protected] -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" [email protected] -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\V: [email protected] -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1952 2320 WerFault.exe 16 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IIL = "0" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\ltHI = "0" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\ltTST = "23346" [email protected] -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] 2320 [email protected] -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1952 2320 [email protected] 28 PID 2320 wrote to memory of 1952 2320 [email protected] 28 PID 2320 wrote to memory of 1952 2320 [email protected] 28 PID 2320 wrote to memory of 1952 2320 [email protected] 28 -
System policy modification 1 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [email protected] Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" [email protected]
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- UAC bypass
- Enumerates VirtualBox registry keys
- Drops file in Drivers directory
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 9522⤵
- Program crash
PID:1952
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
Filesize
977B
MD553316bc0c42b9d65743709021f1d03c7
SHA144cfe377bf7fedee2ce8f888cfacefd283e924e6
SHA256600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36
SHA5129b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6