Analysis
-
max time kernel
4294195s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
11-04-2022 03:15
Static task
static1
Behavioral task
behavioral1
Sample
inf.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
inf.exe
Resource
win10v2004-en-20220113
General
-
Target
inf.exe
-
Size
1.3MB
-
MD5
73dea1a75637e14f6fcd012fe2815636
-
SHA1
f1edca0d6464b76bc4956352571d8941c02d2c4e
-
SHA256
fd03dd58aa7cb5236f4df8cde3fb07af304c6f402cd48b86eefcecb8e7b86883
-
SHA512
f6dc462194037a5c4e0b186088f1fd75befe4cb88bf1dcc7477987951332fc18f8aa66389d567e01677990b022fea6849a66a24510027794e12e2a517edde8d0
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\MeasureHide.tiff inf.exe File opened for modification C:\Users\Admin\Pictures\ExitRedo.tiff inf.exe -
resource yara_rule behavioral1/memory/792-56-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/792-57-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" inf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ inf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" inf.exe Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ inf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 whatismyipaddress.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\410D387D410D387D.bmp" inf.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png inf.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml inf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png inf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png inf.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html inf.exe File opened for modification C:\Program Files\Windows Sidebar\settings.ini inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\classfile_constants.h inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_QuickLaunch.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\settings.js inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png inf.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js inf.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml inf.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt inf.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png inf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png inf.exe File opened for modification C:\Program Files\GetUnlock.mov inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml inf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml inf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png inf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 740 1340 WerFault.exe 14 -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1096 vssadmin.exe 972 vssadmin.exe 2040 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 792 inf.exe 792 inf.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1588 vssvc.exe Token: SeRestorePrivilege 1588 vssvc.exe Token: SeAuditPrivilege 1588 vssvc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 792 inf.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 792 wrote to memory of 1096 792 inf.exe 29 PID 792 wrote to memory of 1096 792 inf.exe 29 PID 792 wrote to memory of 1096 792 inf.exe 29 PID 792 wrote to memory of 1096 792 inf.exe 29 PID 792 wrote to memory of 972 792 inf.exe 33 PID 792 wrote to memory of 972 792 inf.exe 33 PID 792 wrote to memory of 972 792 inf.exe 33 PID 792 wrote to memory of 972 792 inf.exe 33 PID 792 wrote to memory of 2040 792 inf.exe 35 PID 792 wrote to memory of 2040 792 inf.exe 35 PID 792 wrote to memory of 2040 792 inf.exe 35 PID 792 wrote to memory of 2040 792 inf.exe 35 PID 792 wrote to memory of 1060 792 inf.exe 37 PID 792 wrote to memory of 1060 792 inf.exe 37 PID 792 wrote to memory of 1060 792 inf.exe 37 PID 792 wrote to memory of 1060 792 inf.exe 37 PID 1060 wrote to memory of 1224 1060 cmd.exe 39 PID 1060 wrote to memory of 1224 1060 cmd.exe 39 PID 1060 wrote to memory of 1224 1060 cmd.exe 39 PID 1060 wrote to memory of 1224 1060 cmd.exe 39 PID 792 wrote to memory of 548 792 inf.exe 41 PID 792 wrote to memory of 548 792 inf.exe 41 PID 792 wrote to memory of 548 792 inf.exe 41 PID 792 wrote to memory of 548 792 inf.exe 41 PID 548 wrote to memory of 1728 548 cmd.exe 43 PID 548 wrote to memory of 1728 548 cmd.exe 43 PID 548 wrote to memory of 1728 548 cmd.exe 43 PID 548 wrote to memory of 1728 548 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\inf.exe"C:\Users\Admin\AppData\Local\Temp\inf.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:1096
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:972
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:2040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:1728
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1340 -s 22441⤵
- Program crash
PID:740