Overview

overview

10

Static

static

01b654c15c...le.exe

windows7_x64

10

01b654c15c...le.exe

windows10_x64

10

Resubmissions

17-04-2024 14:56

240417-sbg1madb74 10

17-04-2024 14:56

240417-sbaljsdb64 10

17-04-2024 14:56

240417-sbaasadb62 10

17-04-2024 14:56

240417-sa9n9aef2v 10

17-04-2024 14:56

240417-sa9dgsdb59 10

06-04-2024 14:44

240406-r4b5eadc29 10

06-04-2024 14:43

240406-r3xpqadb95 10

06-04-2024 14:42

240406-r29b5ace9x 10

06-04-2024 14:41

240406-r2spdace8x 10

Analysis

  • max time kernel
    150s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe

  • Size

    1.1MB

  • MD5

    1fc2e4c5ff5844410fc7b78c6987cddf

  • SHA1

    52f676fcbfda7f0929385da963df25eb4638d4a4

  • SHA256

    01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38

  • SHA512

    31efba9acfe4b4bfab315a8d2d15b1b7a5ef83f26fc5de17ec37044bb6b61269f291ddb9e20ad90f2e91fff5221360b34bcf1e36e447d369e0d5333de42681fe

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of UnmapMainImage
    PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1092-59-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-60-0x0000000000610000-0x00000000006E5000-memory.dmp
    Filesize

    852KB

    Download
  • memory/1092-61-0x0000000000400000-0x0000000000608000-memory.dmp
    Filesize

    2.0MB

    Download