Overview

overview

10

Static

static

3

Endermanch...pt.exe

windows7-x64

10

Endermanch...pt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2024 12:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    211KB

  • MD5

    b805db8f6a84475ef76b795b0d1ed6ae

  • SHA1

    7711cb4873e58b7adcf2a2b047b090e78d10c75b

  • SHA256

    f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

  • SHA512

    62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

  • SSDEEP

    1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score
10/10
infinitylockdiscoveryransomware

Malware Config

Signatures

  • InfinityLock Ransomware

    Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.

    ransomwareinfinitylock
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 13 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1956
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SendBackup.M2TS.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    1⤵
    • Modifies registry class
    PID:1188
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SendBackup.M2TS.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SendBackup.M2TS.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1332
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SplitRemove.rm.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    352B

    MD5

    1e805d288f5dc11631c0ff03fc107cb9

    SHA1

    8a8947bd0d01a99403a9c3cdfc9335382a6068f5

    SHA256

    a2be9aef8559c10c0eae81ca266c4465b066e98ebff2697b871c94d34442e49b

    SHA512

    65882b873d474ef75bc0cc801b58adbdf911cad368471618239127102be63afcf446d1cef2c8dab9281adc75e83c28a5a0e85895febc3c989d19b65e9910d6f2

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    224B

    MD5

    b2f98ba2f63bbe96b0e9fc6a79fa6ea2

    SHA1

    04137c604af71ff8e655560d0229a29177cadc53

    SHA256

    4069a508fffa65572350b5a90c28ff3accd5b330b90b42197588a7544cdd21f7

    SHA512

    132450a303774f792819a412c39a4b8bae542f0d696a1c4896ee5a807829f35e344a81c30698b1ca81617fca6be7c2f63e282834d281da43cd678e4863377f54

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    128B

    MD5

    3863178ff1e02474ee47b74735bf40bc

    SHA1

    a91ec580cba699077764eb26cc89131a60220f56

    SHA256

    96b7eacb08ad6307b5e1cac9af14d02f3575068d3cd697d440e498a3b8f087f9

    SHA512

    a5d994bee2f86aea2536df0a028febe5067f3ab46ac97863456cb5788dddb7f60b9f945eedc1c2ac38d5311d79fcad3080f23c3e9f5503934d13c7a11f366161

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    128B

    MD5

    0ccc6670dd0480050b94a78c27109d5d

    SHA1

    1fe0645d5ca21db905a2c69c6838476a83a87b89

    SHA256

    4753a5ffa45970ef0081f06e5e45f6e07b8e04417590527dfc252ffea68013f7

    SHA512

    8c6405043791949dbb433f08ffd2e2191fc2aa4696489aeda6970c6c88b39b89e9e8f91aeb7eaba20dee8db24b339198cfec2daabfa18142e4fc0fe8f7c91431

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    192B

    MD5

    74751e9e2ac061261bcebd4590cc9aca

    SHA1

    7c5412431822f327cc361a6bc4790416260bc474

    SHA256

    63256a16b89591a80bcf13984a5935806469e72124e71e339e3bcbb9620595e9

    SHA512

    d6d9b4e9391eaf4dfba3570da463cf4032efdd2e78a5a0cd94aa8e622412cd349ef3c128453e25b54c1162f9a8074c3b006e6d6b0b4d1f21c8883a4678167858

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    512B

    MD5

    2948bd02568ccd726fbfdd17a2ed0bde

    SHA1

    631e08eed4a000ce22d46c8bd5ba2462ac0e6ee6

    SHA256

    8706e4f46b4e4cba208696903b8a46faab36de08dbc25d4e2f34f64731c00745

    SHA512

    642ef681b21750addaef0afba04ad26bad8c318bd7a44acdbf169541ff5a5ef016317d991dfee915f89493210e9fb62e015a67664661bbd7344c68f292ab9e9c

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    1KB

    MD5

    dc23ca685ebcc74924e06635f12b932a

    SHA1

    eafddc5c0bbeeba95af5cbb46e2dfb2e0a9bf40d

    SHA256

    7e691816906f78bc3b0e38944bda4b127eb1427980c896ebd5707b7df8611561

    SHA512

    13182a49a7ed293611fddb42f84ddaa461b6c7b8366f7c298c070d8028385ebc994cd6db4ca5cd1b7be467e9d55caea487989cf67e61d145ab16da5d90fb8aaa

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    816B

    MD5

    15b03796dc1a58c6f54e6ae04261a1e2

    SHA1

    d23a348a51b0ad6dceadc0203f3fd3eabb1dda61

    SHA256

    66a1e9e285e347ea822e34251145fa5f3a4c74942033a0aa02aa472bcf437ac6

    SHA512

    b3e94832bb439fe028744bf4892214c383cbf2f622c7300395060e042257cf4d4d5bc34ce06fe66489f7119b66bcfc2654eae90ba609d66fdb3713c863736864

    Download Submit

  • C:\Users\Admin\Desktop\SendBackup.M2TS.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    495KB

    MD5

    79f36c7ceb318b499d5c0a9507e4c969

    SHA1

    b3ddfde96378e8195ce7259413bce10a130ae58b

    SHA256

    3c98446d742a54323b69afcc36d30c45a2cf000219c77eec00eb91c6a2b84b90

    SHA512

    9dc5a20a49c2a6da2bd1be3ea18aa503f9233f709e51668eb0fdcc746cc02607cb6b6eb67678f91ba811b6aaa98b6566655d0028d442d413b8c77ea927be6591

    Download Submit

  • C:\Users\Admin\Desktop\SplitRemove.rm.DBCA90211FFACD400F164AAB5B172C250E62EE663284264AA53B5F241397FCB0
    Filesize

    513KB

    MD5

    2bcbd92fcc5b9ff292c203b22ffe9780

    SHA1

    0288e07a5f4b302b0446119a32b47634c1337951

    SHA256

    eb8a6daa928ea34edc4edce7b5af8428f80f36b230b4297c697be5bcfed5b757

    SHA512

    c21b18323b380d806d6036b51f4322decf6a2d4724c490db3925d5e748b33a5972b9bf27eefc1c675e58741c560c1dbc5a7fcfd652f72051de4992a351742329

    Download Submit

  • memory/1956-2-0x0000000073E60000-0x000000007454E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1956-1-0x0000000001220000-0x000000000125C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1956-0-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1956-5338-0x0000000073E60000-0x000000007454E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1956-5339-0x0000000073E60000-0x000000007454E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1956-3389-0x0000000073E60000-0x000000007454E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1956-3158-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

    Filesize

    4KB

    Download