Analysis
-
max time kernel
145s -
max time network
190s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:42
Static task
static1
Behavioral task
behavioral1
Sample
1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe
Resource
win10v20210408
General
-
Target
1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe
-
Size
976KB
-
MD5
fc2d1d2825c42a11b56d6e5fd0ef0317
-
SHA1
321680c5760d9dac5ad5c2c6c0cd1bc638a50b15
-
SHA256
1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f
-
SHA512
c70763ac0be9c9448d86a2c5ddfe2ecd8d392f312cbbdfc8fda39f3bc15500d68580c6c0698cb89578b8be54775a2d17f03edf1772c5a0481f4e35eaca798e21
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Processes:
resource yara_rule behavioral1/memory/1276-62-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exepid process 1276 1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe 1276 1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exepid process 1276 1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe"C:\Users\Admin\AppData\Local\Temp\1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage