Resubmissions
10-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 1005-08-2023 22:52
230805-2tn2bsfa82 1024-07-2023 06:25
230724-g6s6laag35 1022-07-2023 15:57
230722-tee6wabg5w 1020-07-2023 23:19
230720-3bb5gsbf5v 1020-07-2023 23:06
230720-23f23sba63 1003-02-2021 11:43
210203-6bgge2nfan 1022-11-2020 06:42
201122-6x1at779dj 10Analysis
-
max time kernel
158s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
24-07-2023 06:25
General
-
Target
Endermanch@InternetSecurityGuard.exe
-
Size
6.1MB
-
MD5
04155ed507699b4e37532e8371192c0b
-
SHA1
a14107131237dbb0df750e74281c462a2ea61016
-
SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
-
SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
SSDEEP
98304:hvOOFJ+Z8eAgy7SH9s76RSvyqJOBgECfMfYv+85JH0DVczt8A:hvOOFJ+ggr9s76R+wcMAv+IHCczt8
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
-
Blocks application from running via registry modification 18 IoCs
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 36 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 11 IoCs
-
Modifies data under HKEY_USERS 6 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe"1⤵
- Enumerates VirtualBox registry keys
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\AppData\Local\Temp\8463.mof"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Endermanch@InternetSecurityGuard.exe" "Internet Security Guard" ENABLE2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cjru459cdmsvzbd.com 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cjru459cdmsvzbd.net 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cjru459cdmsvzbd.com 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cjru459cdmsvzbd.net 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cjru459cdmsvzbd.com 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cjru459cdmsvzbd.net 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cjru459cdmsvzbd.com 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cjru459cdmsvzbd.net 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt lmn187nwcjjmttcd.com 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt lmn187nwcjjmttcd.net 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt lmn187nwcjjmttcd.com 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt lmn187nwcjjmttcd.net 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt lmn187nwcjjmttcd.com 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt lmn187nwcjjmttcd.net 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt lmn187nwcjjmttcd.com 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt lmn187nwcjjmttcd.net 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt jnuxfmopyej1598l.com 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt jnuxfmopyej1598l.net 8.8.8.82⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt jnuxfmopyej1598l.com 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt jnuxfmopyej1598l.net 208.67.222.2222⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt jnuxfmopyej1598l.com 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt jnuxfmopyej1598l.net 8.8.4.42⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt jnuxfmopyej1598l.com 208.67.220.2202⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt jnuxfmopyej1598l.net 208.67.220.2202⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\7ec1c\IS559.exeFilesize
6.1MB
MD504155ed507699b4e37532e8371192c0b
SHA1a14107131237dbb0df750e74281c462a2ea61016
SHA256b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
SHA5126de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
379B
MD5e2abeecfc462961a4a507b07095ec128
SHA1a5e069d7439e0680381619133e771b72dd9ec3fa
SHA2565b62dff31e0421c4974bae36f760860c930b8312232cc6cf6281e1668cd6cbf5
SHA51243ffefc750eef709843016f26334965f2426cff90409603c64e610c22e14df41e1fd4a72d9ecdba0f2e361ff185d86626f6ba7214ba438d32d3ef2ee392c003a
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
662B
MD5e6222b141530045907ff8c0293096731
SHA1377068be7f539a504911f224186ffcf8b05bfb97
SHA256ae7b6f1be3b25858bd80aa1423d6dbef0a17b8339213f91c172fe8a2f52e7c2c
SHA5120296c2c93a2852cfd21b75289be1b2b879bf9cd0e7dd463cb37c7c019ab6d2750a38f6ac0137da41b6522015cd4c68ffb21f649ce1195284840b5deb1ae071ab
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
1KB
MD5c58fec632056a1a8ff6e18f87dde29ec
SHA1393b0aaf3b9fbf1a8d886807d8f357efd99e58e7
SHA2563e66e40aeb1dd21ae90ac9339f5cde66749eed39bc3f4ade30c3dda0aeedcae1
SHA512b4259d68e4fe9b1dafeb98a4ed4dfd9e5deaed670a562dbc61adbad1cd763901f311b11fa68a18c7034386630f84ce4cc741feda6bb76d88786a45b96f3ce81e
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
1KB
MD56d88cb0b38e6ea85b8bacb19aeba96c0
SHA1f65684b7eda74f5ffaea1dc8adc3acdb1a51b6c5
SHA2567eb61bf791a04ccbb8f280d842f7f62bb9fd5536f1427efa73e38eb69727c829
SHA51285266e3a9154f5e322c30781e50be60c87932ecf939d9b2a5e4415af9c94f32fb69170d9c06887be0fb6d62d6b09a1c7092df75557287b57153b3e546f983b00
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
1KB
MD54b5f2b96da86182f06d1aeebae59a2c3
SHA17ac97aeffed9178fc681c83835e5354a1f035e25
SHA25690ec732c936607b8e10c7189abcb634fecc3de375b28997484240bdde7306edc
SHA51233e6d37c241c48bc790ddc4f2b277c4cc87372387355710366ff1304870d5acefb43383f65d3cdaa95f8bda67daa8d0ba76dc2cee9f0de0530762fc56b9da47f
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
2KB
MD5805ed3e5ecc4c3910cdac0f096282ebe
SHA15bdda77819d357534205c1db3217b57223fcbe67
SHA256af36fdc2720b88afd40816207a026b2ff0e457122d8f92521c79ffaabad33eb7
SHA51218a84885beea760cf2588ac29f53755c05fe8ecfd3df70fff127d31100e10dfe53afd7da9a2e3dbf66c1dfb3447b2120403aab02ed2c097a9a0bdd7290f60f5d
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
2KB
MD5c894f63d7513dd284dcb85b787d097c4
SHA1616807cd59ba5d8843fcbacf8ab6e4b1cacf162f
SHA256ae2df0a3c3cfab4452f40dbbd9748cb9a484c21c77d2e4b1e7aac8854f496881
SHA512fb67c4d9182300a4d1dc874899992223a1404c8d7234431cee8a6876c2d3b0962a828c0322d46c4f30b00188f40be924fe63ce66d8a434f96b153fcb7a15de7d
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
5KB
MD5e678510999f7e6e335349f9479a64515
SHA1242577a90786b871ba729b872fb2b197c494213f
SHA256b04f8fab8ec18d0dfd0a44269bc3a79b2b808f91c934cc48393c823ab56d425c
SHA51276dd68494dd62d0c51c83184a29336817f984430d99f3d7c4b1cbcdd03b32b1ced07aa7256cf42ce71dbf88adea34595c0624d0f0951a25b6d40eb4cd6d99541
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
5KB
MD5e678510999f7e6e335349f9479a64515
SHA1242577a90786b871ba729b872fb2b197c494213f
SHA256b04f8fab8ec18d0dfd0a44269bc3a79b2b808f91c934cc48393c823ab56d425c
SHA51276dd68494dd62d0c51c83184a29336817f984430d99f3d7c4b1cbcdd03b32b1ced07aa7256cf42ce71dbf88adea34595c0624d0f0951a25b6d40eb4cd6d99541
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
6KB
MD557284618e6d9017be36f6d956c5f71e5
SHA11ae74479039ed7b141e2ede8e6b1b333bb1d43ef
SHA256000073c55447e37d7bc6fb687df65efa1c10d68866f65f9ab54a2ea8174d5e48
SHA512dca94435662ef779cccfb1eee43ba252d857c12a44790d30e58d186c1ae0088fd4ac0674b324dd53ba2612621ea0a00347a4a5d2670f51490036a704ef4a135e
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
6KB
MD54dcfbf8633e5fa7daa5687b50de12cc0
SHA16d0a9b9308fefce5c826e26cddea212bafbf9a4d
SHA256fe2b8177ab356824225375915607296cc61845859b58bdbea7eb1a91d17b1b77
SHA512946da018aab5ef718025e273f1f1a35f463fd981f32a78805953878e719c309aa0bd1f67c4273d06a5a6eb13f7ed5d33a21bd814269ff51ad1f0025ce2f8b522
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
7KB
MD52c7fc7caea8db5e177c76969e0a97f9c
SHA1fd68cde082b278027a75d6ecbb117c3a095973c6
SHA2563441836e6d0a38625eb2d589308bfbfed53ca6822315a5b7dfa0664f77feb5a9
SHA512408337eed476c8aa9b5b98df7710b716f55edb72d35bc957053da2ff22d591c3bb6af40391ee61dcf021641112c3b0160426e4edb5b5785ee4cf94177166e4e6
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
8KB
MD5452d1d39d86a08872500beb19c6f4b43
SHA1edb802fa8ada679d54e47b3315a44a37ee097c28
SHA2563847b3c8a32e52aaa3225efeabe0e19eea8b4074f796a6a8bc50db888044dc3d
SHA51244700bb782b145e67766b1134b5da34e2e2ca54fceff41e57ae4b992ac67d8328d9a5f1fc38d682ebed5e75ceea04786d8910750366ae71730e6d0ccd8047d5a
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
9KB
MD51b148338b6b27d900ed309d579745053
SHA1b1bac33cf823ce4e484683e5414230ccb47eeb94
SHA2561145274e81c66e4cc1bd7a78d913a06c11bbb17e41766fa2540d8b29f8dae6c5
SHA5121adc8d28c78190a3e147cbccdf2dca54d2191eca2fe0b15ce76d8f2fb3c9924309a717c21bf59ac30b593d5611e81009b6b6326774685128bc4b59298084562d
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
11KB
MD546c89f8351a3992cba0ae2185eda775b
SHA1f354d256b4144e0822245dcd637c0cf0ff97f305
SHA256895111cbd93bb0371aee30e607ea613d9e239b5f65d6ee798768dfc0129f7f8d
SHA5129f9bd015c43b445052c1eb9faabe9652da278b6689f61dae1add1fb4c7570c8eb6edb0e14393f31facdc13d76230581f8d8949a24bd44f1513423b20ee57e600
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
11KB
MD546c89f8351a3992cba0ae2185eda775b
SHA1f354d256b4144e0822245dcd637c0cf0ff97f305
SHA256895111cbd93bb0371aee30e607ea613d9e239b5f65d6ee798768dfc0129f7f8d
SHA5129f9bd015c43b445052c1eb9faabe9652da278b6689f61dae1add1fb4c7570c8eb6edb0e14393f31facdc13d76230581f8d8949a24bd44f1513423b20ee57e600
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
13KB
MD517ed7af615553ecb9cfb40b0b64dbdfe
SHA123f478ed6ff78890b65128ea4588b3c6bdbf3868
SHA2566208baa733a69317f17f909a5d7b993b1eeb82fbcfdf8e26373693e568d1f9e9
SHA512fdc69b01d67985125ac627c0f7092109649ca97f5ca4b4c83956c37f2292adc81d955827501a814e73adc44d6ca07bb5d4e765e6976cf130ca2aec2cf59565b2
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
14KB
MD59189cbc8f580784c0244b982ea3c52f1
SHA1f8b3814be859070458ebdb067c533a9e7ad51d9c
SHA256bbcad377f92d6dbade8ad9f8edc76f7b82ff84141bb63ff0449558a80ab8c145
SHA512bd3d822bed6f8edb30d5f651baee5e3f9ad06cbe04c5c4192f566281aebf38bc39b705db32c8a6cba58e3274131d9fd6dcef4cf5dfa308b12e7164099ca25ef0
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
15KB
MD51ff05229b9eb13b0c099d7bf78b68d82
SHA1e9db60ff493fc138e6907e48884111a608f2f674
SHA256a7e089470d47e8742530c3b599beb21ab71b7bec418989101b282e792a96175d
SHA51253f8e0f8a841c59b97958c15ea79a06a32320067bd84b6391c7472be9d520685f8223b3a62189f42c2e78753c3a866b1c706a5b5b81ffd16fccc8872de873e87
-
C:\ProgramData\ISXKQMFG\ISEWWMAJQG.cfgFilesize
16KB
MD556590800c83db05d002bd29bb8286b76
SHA120449e5219264544d840f62b73b8520322a8f275
SHA2560a1362221796220eb97b9c65e57e9751da73dd83e5692385b02a9cb94018027b
SHA512f88bd188cb6c32a42164209fb7962f9db650f80bcb6f831ebff6c1dece2d55e3fe2dd0257c9f6dd59d31d800f160246664e27cce5f688dd6c23b624209d19851
-
C:\Users\Admin\AppData\Local\Temp\8463.mofFilesize
344B
MD53754f8f8abad5bad797085d0717a9766
SHA148d92f36cb721b390e216aa03b27b41f25c563fc
SHA2563c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927
SHA512c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\prefs.jsFilesize
6KB
MD5494fd39c6c3b65f63bd38507db6395c1
SHA1b3b49acd8e21d49f400d36a4cf3bec06910fae17
SHA256266d02f6a284375cce18085283dde546d2e8da53dc118539d26a9582b47c777f
SHA5123293515b7adecf1e0713599ffc86a387113eec59bd4fac4f190fc7e4d80e0c81db875ccfd56d5201090c28746da478db9a90ecadd73ab4110b4f9e06e344e8a7
-
C:\Windows\System32\drivers\etc\hostsFilesize
1KB
MD5008fba141529811128b8cd5f52300f6e
SHA11a350b35d82cb4bd7a924b6840c36a678105f793
SHA256ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84
SHA51280189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc
-
memory/3356-504-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/3356-737-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-627-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-406-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-626-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-133-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/3356-625-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-574-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-740-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-743-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-744-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-745-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-746-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-747-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-748-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB
-
memory/3356-749-0x0000000013140000-0x0000000013764000-memory.dmpFilesize
6.1MB