Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    132s
  • max time network
    144s
  • resource
    win10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2c.jpg

  • Sample

    191016-8b56wcmt7e

  • SHA256

    45521351aa8ff351931e7d7eb7c0d0183184b1adb7484cc0b7a7bba2c992cd24

Score
N/A

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Adds Run entry to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses
  • Interacts with shadow copies 2 TTPs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Deletes shadow copies 2 TTPs
    ransomware
  • Drops Office document 142 IoCs
    dropperexploitermaldoc
  • Drops file in system dir 11503 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Program crash
  • Checks system information in the registry (likely anti-VM) 2 TTPs 8 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Suspicious use of FindShellTrayWindow
  • Suspicious use of SendNotifyMessage
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs
  • Checks processor name in registry (likely anti-VM) 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • troldesh family
    family

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2500
    • C:\Users\Admin\AppData\Local\Temp\2c.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\2c.jpg.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      PID:1012
    • C:\Users\Admin\AppData\Local\Temp\2c.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\2c.jpg.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      • Adds Run entry to start application
      • Drops Office document
      • Drops file in system dir
      • Sets desktop wallpaper using registry
      PID:3488
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      1⤵
        PID:4088
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Modifies service
        PID:3704
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k swprv
        1⤵
          PID:4040
        • C:\Windows\system32\vssadmin.exe
          C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
          1⤵
            PID:2768
          • C:\Windows\system32\vssadmin.exe
            C:\Windows\system32\vssadmin.exe List Shadows
            1⤵
              PID:3848
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:3912
            • C:\Windows\SysWOW64\chcp.com
              chcp
              1⤵
                PID:3868
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k WerSvcGroup
                1⤵
                • Suspicious use of WriteProcessMemory
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                PID:2224
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 2500 -s 2264
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                • Checks system information in the registry (likely anti-VM)
                PID:3788
              • C:\Windows\explorer.exe
                explorer.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                • Checks system information in the registry (likely anti-VM)
                • Modifies Installed Components in the registry
                PID:3832
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 3832 -s 2236
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                • Checks system information in the registry (likely anti-VM)
                • Enumerates system info in registry
                • Checks processor information in registry (likely anti-VM)
                • Checks processor name in registry (likely anti-VM)
                PID:3068
              • C:\Windows\system32\SppExtComObj.exe
                C:\Windows\system32\SppExtComObj.exe -Embedding
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:980
              • C:\Windows\System32\SLUI.exe
                "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
                1⤵
                  PID:1208

                Network

                MITRE ATT&CK Enterprise v15

                MITRE ATT&CK Additional techniques

                • T1060
                • T1107
                • T1031

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Microsoft\Windows\WER\Temp\WER169B.tmp.csv
                  Download Submit

                • C:\ProgramData\Microsoft\Windows\WER\Temp\WER16AC.tmp.txt
                  Download Submit

                • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F09.tmp.csv
                  Download Submit

                • C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F29.tmp.txt
                  Download Submit

                • memory/1012-1-0x0000000003C90000-0x0000000003C91000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3068-407-0x0000018DDD3A0000-0x0000018DDD3A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3068-404-0x0000018DDD3A0000-0x0000018DDD3A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3068-401-0x0000018DDD2B0000-0x0000018DDD2B1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3068-398-0x0000018DDC350000-0x0000018DDC351000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3488-6-0x0000000003720000-0x0000000003721000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3488-198-0x0000000003720000-0x0000000003721000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3488-4-0x0000000000400000-0x0000000000608000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/3488-3-0x0000000000400000-0x0000000000608000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/3488-2-0x0000000000400000-0x0000000000608000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/3788-395-0x00000234BCAA0000-0x00000234BCAA1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3788-392-0x00000234BC8E0000-0x00000234BC8E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3788-390-0x00000234BB170000-0x00000234BB171000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3788-389-0x00000234BB170000-0x00000234BB171000-memory.dmp

                  Filesize

                  4KB

                  Download