Analysis
-
max time kernel
157s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-03-2022 20:10
Behavioral task
behavioral1
Sample
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe
Resource
win10v2004-en-20220112
General
-
Target
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe
-
Size
1.4MB
-
MD5
30389b7a45567e07146e2ad0d59734fa
-
SHA1
776ec66d4570ddb8ca3907fd77e4c02ae1e428ba
-
SHA256
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0
-
SHA512
a86d240fc8cf0201bdf63c1f7ebc4adbff4836061bc71c3ba1b044ae6c7a41c6d4b50f69b77bfb9162a046d1278d6db723fc15ccc3a57b0a1163b2de3a232e89
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Processes:
resource yara_rule behavioral2/memory/2312-131-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/2312-132-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2824 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exepid process 2312 32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe 2312 32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe 2312 32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe 2312 32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3964 vssvc.exe Token: SeRestorePrivilege 3964 vssvc.exe Token: SeAuditPrivilege 3964 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exedescription pid process target process PID 2312 wrote to memory of 2824 2312 32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe vssadmin.exe PID 2312 wrote to memory of 2824 2312 32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe"C:\Users\Admin\AppData\Local\Temp\32a31a2c1811ecec2841f70c0be6a18040cd456145f524ca284363c1606c13d0.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken