d89f8d317cf5f8600cc5abe52846f38bf191ecbfb841817696d89d59dbca03c1

Analysis

max time kernel
299s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/11/2024, 07:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

other malware cuz why not/Endermanch@NavaShield.exe
Size

9.7MB
MD5

1f13396fa59d38ebe76ccc587ccb11bb
SHA1

867adb3076c0d335b9bfa64594ef37a7e2c951ff
SHA256

83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
SHA512

82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
SSDEEP

196608:CtbTP1ErBwMQjd1YTHdmpCP2PVgP/acIE/xQ0zyZejVk+YzbRdTZ:C1E1+dYx6OP9hdyZwV4zd

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2656	NavaShield.exe
2768	NavaBridge.exe
1576	NavaDebugger.exe

Loads dropped DLL 11 IoCs

pid	Process
3052	Endermanch@NavaShield.exe
2656	NavaShield.exe
2656	NavaShield.exe
2656	NavaShield.exe
2656	NavaShield.exe
2656	NavaShield.exe
2768	NavaBridge.exe
2768	NavaBridge.exe
2768	NavaBridge.exe
2656	NavaShield.exe
1576	NavaDebugger.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NavaShield = "c:\\Nava Labs\\Nava Shield\\navashield.exe"	Endermanch@NavaShield.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Endermanch@NavaShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NavaShield.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NavaBridge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NavaDebugger.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NavaShield.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NavaShield.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	NavaShield.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2656	NavaShield.exe
2656	NavaShield.exe
2656	NavaShield.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2656	NavaShield.exe
2656	NavaShield.exe
2656	NavaShield.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2656	3052	Endermanch@NavaShield.exe	31
PID 3052 wrote to memory of 2656	3052	Endermanch@NavaShield.exe	31
PID 3052 wrote to memory of 2656	3052	Endermanch@NavaShield.exe	31
PID 3052 wrote to memory of 2656	3052	Endermanch@NavaShield.exe	31
PID 2656 wrote to memory of 2768	2656	NavaShield.exe	33
PID 2656 wrote to memory of 2768	2656	NavaShield.exe	33
PID 2656 wrote to memory of 2768	2656	NavaShield.exe	33
PID 2656 wrote to memory of 2768	2656	NavaShield.exe	33
PID 2656 wrote to memory of 1576	2656	NavaShield.exe	34
PID 2656 wrote to memory of 1576	2656	NavaShield.exe	34
PID 2656 wrote to memory of 1576	2656	NavaShield.exe	34
PID 2656 wrote to memory of 1576	2656	NavaShield.exe	34

C:\Users\Admin\AppData\Local\Temp\other malware cuz why not\Endermanch@NavaShield.exe
"C:\Users\Admin\AppData\Local\Temp\other malware cuz why not\Endermanch@NavaShield.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Nava Labs\Nava Shield\NavaShield.exe
  "C:\Nava Labs\Nava Shield\NavaShield.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Nava Labs\Nava Shield\NavaBridge.exe
    "C:\Nava Labs\Nava Shield\NavaBridge.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Nava Labs\Nava Shield\NavaDebugger.exe
    "C:\Nava Labs\Nava Shield\NavaDebugger.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1576

Network

DNS

navashield.com

NavaBridge.exe

Remote address:

8.8.8.8:53

Request

navashield.com

IN A

Response

navashield.com

IN A

64.190.63.222
GET

http://navashield.com/nava/offers?a=TNEQ7W7U4W&v=1&b=0enNuKZijDvRVUWgSGleGQ==

NavaBridge.exe

Remote address:

64.190.63.222:80

Request

GET /nava/offers?a=TNEQ7W7U4W&v=1&b=0enNuKZijDvRVUWgSGleGQ== HTTP/1.0
Accept: */*
Accept-Language: en
Host: navashield.com

Response

HTTP/1.1 403 Forbidden

content-length: 93
cache-control: no-cache
content-type: text/html
connection: close

64.190.63.222:80

http://navashield.com/nava/offers?a=TNEQ7W7U4W&v=1&b=0enNuKZijDvRVUWgSGleGQ==

http

NavaBridge.exe

359 B
376 B
5
4

HTTP Request

GET http://navashield.com/nava/offers?a=TNEQ7W7U4W&v=1&b=0enNuKZijDvRVUWgSGleGQ==

HTTP Response

403

8.8.8.8:53

navashield.com

dns

NavaBridge.exe

60 B
76 B
1
1

DNS Request

navashield.com

DNS Response

64.190.63.222

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Nava Labs\Nava Shield\NavaBridge.exe

Filesize
4.0MB

MD5
6f89df4cde193c0636c3d497cf1a17bf

SHA1
9faaa0100195e3e81fdade11e7a476a1fd1b23c8

SHA256
e7f05380e90dfb15b91b8bbc2ae48a04ba84d573b3c9f7d81bcc12f814215929

SHA512
c31848b1dceb8f8351991051b389a38b2ca0ae7ee98ebf626576245ca1588f1f6ee14e3eff7b165ecf9879e7e11ab77888e297cc4ccbb405b0ed64ebcda304b2

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dll

Filesize
92KB

MD5
831295342c47b770bf7cc591a6916fa7

SHA1
2c9063fbf3f3363526abdc241bf90618b82446d1

SHA256
8341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656

SHA512
01419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e

Download Submit
C:\Nava Labs\Nava Shield\NavaDebugger.exe

Filesize
10.0MB

MD5
47ef848562a159b2ce98d527ec968db2

SHA1
56b34310e8ede0437c422531bb89b2255a03cb3d

SHA256
7d899d2d33bde1c7f55ba0fcd4630b817e42e5cd1ceb8739511a990455275f90

SHA512
ac05354eacab4252e57151e98b8845d142b258590269ef92a724818623f2912b48341555ccc604a810e89ced3178ffc896ba116805ec3d129d9f6932296d935a

Download Submit
C:\Nava Labs\Nava Shield\NavaMod.dll

Filesize
5KB

MD5
3d7f80fb0534d24f95ee377c40b72fb3

SHA1
11b443ed953dae35d9c9905b5bbeb309049f3d36

SHA256
abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc

SHA512
7fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7

Download Submit
C:\Nava Labs\Nava Shield\NavaShield Libs\Internet Encodings.dll

Filesize
72KB

MD5
de5eefa1b686e3d32e3ae265392492bd

SHA1
7b37b0ac1061366bf1a7f267392ebc0d606bb3db

SHA256
a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744

SHA512
c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508

Download Submit
C:\Nava Labs\Nava Shield\bridge.dat

Filesize
176B

MD5
e66f1107f995d52bcd90421b3cdc0dde

SHA1
245acafa2f3dab3f2b7f183d34267dcd976199c0

SHA256
45fa6eacea58e682c2ef2bb9e888cb6bf396c37b957fd144ca73c95699ad3c74

SHA512
0500f9dec5cfdfb80bc5763943deb3111ccde4b35f19ac124df2e5abde2681154977f160a42e9ef50698b0ea0cc26fc09361a3917534038f141dd047f0287c1f

Download Submit
C:\Nava Labs\Nava Shield\bridge.dat

Filesize
176B

MD5
06552ba21b610427f93f5ca67ac94e92

SHA1
3a250e6b6c080ab3d743e458e2b9d1bef6507b93

SHA256
37d9a3d8c8e046c00169c19bfc691a46fea04b6a95e3169f2fdadfe5de49188e

SHA512
feffe4782a75c25dd017897090b708541b965f66bb3ddd5d0477a72622ea5666e1c3ae5192a0051f0bf003b02a47a6fd320b9eb1c707e12440a528747a85cd25

Download Submit
C:\Nava Labs\Nava Shield\config.dat

Filesize
4KB

MD5
389bf6e15ae0a7250f454da52aa7ced5

SHA1
1f6a6fe568a1b863bf1f8a9bec9fc8a67e04ca43

SHA256
5993325acfe309946c176737a019aa16e22b921fa6387b766bf8bc8a504e220d

SHA512
74bf5a1b5aaa4a27777ef98744aa5a4aac9dc2d64def7be42883d965e77c06852b8bd61c9b7620030c0b5d712ddefdbf0786d0696f62459e33a0debfbc62eb22

Download Submit
C:\Nava Labs\Nava Shield\config.dat

Filesize
4KB

MD5
5e704d5d840abb97d463a23ed27c2f70

SHA1
03b96628c71884a24bccbf09e6e98a4275fe3048

SHA256
90b916dd1676ac5c5d698593a51d896a203c80a0f652b7b772fe90e674154f2a

SHA512
b59da0e00589610d0260640fe5851cf51c4b9cb814d61f36badee9a2c22bca1690c5463bc3f1d19dd7cb1084094a4b48a895f77e2bb16c19fe6bbe199d543cfe

Download Submit
C:\Nava Labs\Nava Shield\navig.dat

Filesize
255B

MD5
0bf850cb9d0aa0f4c778cc515b79bd13

SHA1
c0cb8a58cba046d2c7539025a39c8a1af81c3914

SHA256
9c4723ecb77e39e58eda9c60f532724aa3bf69de30047cc7b6522534cd423f00

SHA512
649c13f9f4fccc03ebd6cb2c3752434c69b5a8d7e9b94cac80cd98a7624bfd00648949b18cd720faf89fae050f6b523221db589a550c6ce4513e76ff0895da5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
1.2MB

MD5
f96faa6ec671eaabc66ef44d5a715db2

SHA1
71b08ba07e5cea3490daeb4b75b4262b1e8a9821

SHA256
6beae61ac55708892f869336fbf24f5987b433d3abe54f00bb69a098715caa1f

SHA512
ab02f785eb412004de71337a016861e790c643bffb7b1ff87d3c7f62e9ebe139fb13b04c4605ff8f069e9e0eb032427e864a6d98af5b8e25fef770bb84272838

Download Submit
\Nava Labs\Nava Shield\NavaBridge Libs\Browser Plugin.dll

Filesize
96KB

MD5
912924f628e277be9cc28a5f2a990cb9

SHA1
13c0166469a271497043a2f13e9a6a610dc2b336

SHA256
bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb

SHA512
b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39

Download Submit
\Nava Labs\Nava Shield\NavaShield Libs\Appearance Pak.dll

Filesize
136KB

MD5
fcf3ac25f11ba7e8b31c4baf1910f7a6

SHA1
fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72

SHA256
e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c

SHA512
47c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40

Download Submit
\Nava Labs\Nava Shield\NavaShield.exe

Filesize
23.8MB

MD5
9d299e41bae269641af28a6c02b80ef6

SHA1
66114e20ddf19e657d29aa2d1ac56ea93c62d130

SHA256
fce1bc05fbe2de83ee535e5ce0ceee94f2b4f917cdcbe1f1f649f44be25d4ec8

SHA512
26e01252b6caea9122734485654848d31c7f3dd06cf7fcc2806ba2b0705cb914b6b7b4e38ff1f23a5c373277e23d64320844e9882bef4ed27eb68d7ecce5de28

Download Submit
memory/2656-115-0x0000000002590000-0x00000000028AB000-memory.dmp

Filesize
3.1MB

Download
memory/2656-109-0x00000000006D0000-0x00000000006EA000-memory.dmp

Filesize
104KB

Download
memory/2656-145-0x0000000069F80000-0x0000000069F88000-memory.dmp

Filesize
32KB

Download
memory/2656-106-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2768-134-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2768-138-0x00000000002C0000-0x00000000002DA000-memory.dmp

Filesize
104KB

Download
memory/2768-136-0x00000000025F0000-0x000000000277B000-memory.dmp

Filesize
1.5MB

Download
memory/3052-119-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/3052-11-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.