Overview

overview

10

Static

static

3

Endermanch...pt.exe

windows7-x64

10

Endermanch...pt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    192s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-03-2024 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Endermanch@InfinityCrypt.exe

  • Size

    211KB

  • MD5

    b805db8f6a84475ef76b795b0d1ed6ae

  • SHA1

    7711cb4873e58b7adcf2a2b047b090e78d10c75b

  • SHA256

    f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

  • SHA512

    62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

  • SSDEEP

    1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score
10/10
infinitylockransomware

Malware Config

Signatures

  • InfinityLock Ransomware

    Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.

    ransomwareinfinitylock
  • Drops file in Program Files directory 64 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\Endermanch@InfinityCrypt.exe"
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:2648
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2272
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\system32\NETSTAT.EXE
      netstat -b
      2⤵
      • Gathers network information
      • Suspicious use of AdjustPrivilegeToken
      PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6
    Filesize

    352B

    MD5

    f8f385e76aab9b30d76226dd9a16d829

    SHA1

    07590c0fe2912eca38cdd52502a73f344a086c54

    SHA256

    a039fef0bd77d043f76d0107fb393e96f67862eb7e7b4cd839f9db97e723fcb6

    SHA512

    3ac70da3720d7f6ed6df65ddf7fac8c5cb0f637371aa649579759c0de9e72bc71f365dd8ed490cf8348fb8af00f25cb30246ce960b4d48c21f7af05fa49d2e1f

    Download Submit
  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6
    Filesize

    224B

    MD5

    058de27aed7e26f6a3c2949e2f13917b

    SHA1

    884dacafe41d1dc328b9a27a296b9b122d2c35a5

    SHA256

    57bdafc1109a529cc21618e2797012aa8b2b61674f0d3f6f474fd3688a0ba4ff

    SHA512

    82ed43217f45f45a0f75a37596dd5a08d654d116020bbc844a5664d5b805ea2d85cdedbd9a94381f1bb38143cd5a03b4cd45cc5c49255a5096fdea4df83e12a6

    Download Submit
  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6
    Filesize

    128B

    MD5

    db5fc5ec1a9c490fc8d0ae46fcc42a12

    SHA1

    992b4b8d750f47302c288e475207358bfaaa6e64

    SHA256

    0939866cb7cb5f13a5ce99a1bf99fdb5893ed1d15431c72feb08b40c1bf75e3a

    SHA512

    5de3fc262b89bdc4a0a5ced6206b1737bfc36519457edb4ffa763425208e5bfbd3359986f21dd153f0f9855a4fc0b32c802e0a1bf8cb83f47e7dc2a4e2e522d2

    Download Submit
  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6
    Filesize

    128B

    MD5

    6ec7608322a58b92174e34cb123c64d5

    SHA1

    ca08b75e872b7ca05294ca8afbb5c91cf83ec3fb

    SHA256

    ed6b6c64322bf8d7536c53fdb919ddfff383219ee56ba8e0efe253e6a4e74c68

    SHA512

    161e574c54bd217d153baf17942e3cd36b83ad2b5326a4dfca91c7473c84fb5a1c316557411fe38f6d34e586302c07c2a53bd29df72f809ae0723e5ee4cb5d9e

    Download Submit
  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6
    Filesize

    192B

    MD5

    65394900d0e5849f888ac27fc19bcddd

    SHA1

    bd9dfc4bb58477ebda64ba8499d880984c760f70

    SHA256

    6d51146f048b93dafb2fd587fcbba8cc7eb8c9d61544b5dc6aeb0113469fe9be

    SHA512

    6a314159031e65a29b41e0e1509e8a8b04fd6abd11de3bdfa32a9b2aace3a80a7920eb40ee32f5ae514392dc892f3a7c12c9d981b8ae613e2b738d5acf4fc761

    Download Submit
  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6
    Filesize

    512B

    MD5

    17b18f0a97bd5020fa425ff5af58f82e

    SHA1

    88b56c72fbe78c4e3390e5fab35dcf2dd0838b85

    SHA256

    14a804986c18fd8573189055995aa13b616cc4c64a4ec181238444dda55589a7

    SHA512

    21d81526da51d3d9fbb7faad35bd217fab7076dd6f145b1f0cc548be956426a51b1b7672f9fe045da50debf4c2a56e9b1213035c1afd698d2acb95c78de13f31

    Download Submit
  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6
    Filesize

    1KB

    MD5

    8d224ed17a6140ea6a127bcbf7e89c6d

    SHA1

    21c24b8b975b4ef19a28c2801b02f236dd5e61aa

    SHA256

    cf8a8cf51e092497addd7b8e9bf7fae9a23c3de32450d0512454ccab83b379b1

    SHA512

    358a91a3279e523cc0904166568ac19a3fd158a38a28904fe8a7c751529146d7adcd0580a7c942965b1de7390a619d1346481963a8677d6b03075dbf0ae3c32c

    Download Submit
  • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.9B0379BF114789273DAFA419935A3FDBA2C7CC70F2D246523F2DD9AA11D647E6
    Filesize

    816B

    MD5

    48a01f34dc0bab8d4ec0ed9087ad74a4

    SHA1

    4a63b5a922f4f0014157e257f9a8f393bc29dad9

    SHA256

    b9b7e46cea24868a2d4e1c319cc4cb8a7cbd0244aa1a909a46313778171ac31f

    SHA512

    fa5f22d62bb00df0dc624f256c28affeb518ce759dcea124b9dfa0e9109dbbbb0137ef827543ce7f12f169126645e33c0cc0300399447dad0d932bb5f685ddaa

    Download Submit
  • memory/2272-567-0x0000000002C90000-0x0000000002CA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2272-2839-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/2272-2859-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/2272-562-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/2272-563-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/2648-499-0x0000000074610000-0x0000000074CFE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2648-1-0x0000000074610000-0x0000000074CFE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2648-0-0x0000000001240000-0x000000000127C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2648-2-0x0000000000CE0000-0x0000000000D20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2648-521-0x0000000000CE0000-0x0000000000D20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2648-5348-0x0000000000CE0000-0x0000000000D20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2648-5349-0x0000000000CE0000-0x0000000000D20000-memory.dmp
    Filesize

    256KB

    Download