Analysis
-
max time kernel
162s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
20-03-2022 06:13
Static task
static1
Behavioral task
behavioral1
Sample
ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe
Resource
win10v2004-20220310-en
General
-
Target
ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe
-
Size
980KB
-
MD5
83246ee3f6cbb10825e5eab9172ef4b6
-
SHA1
1c6456cea8fc52e57ba668f3343b763eb99de4b5
-
SHA256
ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004
-
SHA512
816b133e947dc1d27e377fdb6646e42b11eab5597f5ab568db6c3072c14b8ca28cee92a38db2ae8554284f2023b2019f88f57c7d403371b778ccde2e420c7a54
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
resource yara_rule behavioral2/memory/3976-135-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/3976-136-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3976 ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe 3976 ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe 3976 ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe 3976 ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe"C:\Users\Admin\AppData\Local\Temp\ea3d71e7b8cb5d222744d4c2252b72924bed51a63119e8990a85fb17ff93f004.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3976