Overview
overview
10Static
static
10Endermanch...is.exe
windows7-x64
1Endermanch...is.exe
windows10-2004-x64
Endermanch...ug.exe
windows7-x64
6Endermanch...ug.exe
windows10-2004-x64
6Endermanch...ck.exe
windows7-x64
7Endermanch...ck.exe
windows10-2004-x64
7Endermanch...om.exe
windows7-x64
1Endermanch...om.exe
windows10-2004-x64
1Endermanch...le.exe
windows7-x64
1Endermanch...le.exe
windows10-2004-x64
1Endermanch...er.exe
windows7-x64
7Endermanch...er.exe
windows10-2004-x64
7Endermanch...er.exe
windows7-x64
7Endermanch...er.exe
windows10-2004-x64
7Endermanch...er.exe
windows7-x64
Endermanch...er.exe
windows10-2004-x64
Endermanch...us.exe
windows7-x64
1Endermanch...us.exe
windows10-2004-x64
1Endermanch....C.exe
windows7-x64
10Endermanch....C.exe
windows10-2004-x64
10Endermanch...rd.exe
windows7-x64
10Endermanch...rd.exe
windows10-2004-x64
9Endermanch...a2.exe
windows7-x64
1Endermanch...a2.exe
windows10-2004-x64
1Endermanch...19.exe
windows7-x64
7Endermanch...19.exe
windows10-2004-x64
7Endermanch...eg.exe
windows7-x64
7Endermanch...eg.exe
windows10-2004-x64
3Endermanch...1).exe
windows7-x64
3Endermanch...1).exe
windows10-2004-x64
3Endermanch...ld.exe
windows7-x64
3Endermanch...ld.exe
windows10-2004-x64
3Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2023 06:25
Static task
static1
Behavioral task
behavioral29
Sample
Endermanch@NavaShield(1).exe
Resource
win7-20230712-en
Behavioral task
behavioral30
Sample
Endermanch@NavaShield(1).exe
Resource
win10v2004-20230703-en
General
-
Target
-
Size
1.1MB
-
MD5
2eb3ce80b26345bd139f7378330b19c1
-
SHA1
10122bd8dd749e20c132d108d176794f140242b0
-
SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
-
SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
-
SSDEEP
24576:pXhZgPlmWcA4Te9+g6+lET/+xRXKRwFSmjTGIWrwg:xInpSe99pCkRXKRMdGIWrN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation [email protected] -
Executes dropped EXE 1 IoCs
pid Process 4752 lpsprt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe" lpsprt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\HjuTygFcvX [email protected] File created C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_240625078 [email protected] File created C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe [email protected] File opened for modification C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe 4752 lpsprt.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1124 wrote to memory of 4752 1124 [email protected] 84 PID 1124 wrote to memory of 4752 1124 [email protected] 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
911KB
MD52e6360eeebcafd207ad6f4cfc81afdb3
SHA16d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA2563a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA51236e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4
-
Filesize
911KB
MD52e6360eeebcafd207ad6f4cfc81afdb3
SHA16d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA2563a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA51236e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4
-
Filesize
911KB
MD52e6360eeebcafd207ad6f4cfc81afdb3
SHA16d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA2563a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA51236e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4