Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-04-2022 18:51
Static task
static1
Behavioral task
behavioral1
Sample
1c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1c.exe
Resource
win10v2004-20220414-en
General
-
Target
1c.exe
-
Size
1004KB
-
MD5
592b12b5a4d9beec0c8914fcb36a8f30
-
SHA1
ae094c72b8c774cd9e573e12500c0869ece074aa
-
SHA256
f02008f3656a77dcb5e4ca16153acfb649cf2717b1d60e58fe17073b452c6403
-
SHA512
54c1c96c03f114976b5ccd56382bb1edb315bf21feb40a887e046dff9f5e33cfa29238c6a35218a85ab757a24b51343dfc451d2114fd89f9cc1e8630f5fb5c5b
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
resource yara_rule behavioral1/memory/272-55-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/272-57-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ 1c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 1c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 whatismyipaddress.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\D7985539D7985539.bmp" 1c.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseout.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\gadget.xml 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html 1c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT 1c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png 1c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg 1c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat 1c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png 1c.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml 1c.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png 1c.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png 1c.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml 1c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html 1c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js 1c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 224 1312 WerFault.exe 16 -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1400 vssadmin.exe 1208 vssadmin.exe 2024 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 272 1c.exe 272 1c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1884 vssvc.exe Token: SeRestorePrivilege 1884 vssvc.exe Token: SeAuditPrivilege 1884 vssvc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 272 1c.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 272 wrote to memory of 1400 272 1c.exe 28 PID 272 wrote to memory of 1400 272 1c.exe 28 PID 272 wrote to memory of 1400 272 1c.exe 28 PID 272 wrote to memory of 1400 272 1c.exe 28 PID 272 wrote to memory of 1208 272 1c.exe 32 PID 272 wrote to memory of 1208 272 1c.exe 32 PID 272 wrote to memory of 1208 272 1c.exe 32 PID 272 wrote to memory of 1208 272 1c.exe 32 PID 272 wrote to memory of 2024 272 1c.exe 34 PID 272 wrote to memory of 2024 272 1c.exe 34 PID 272 wrote to memory of 2024 272 1c.exe 34 PID 272 wrote to memory of 2024 272 1c.exe 34 PID 272 wrote to memory of 716 272 1c.exe 36 PID 272 wrote to memory of 716 272 1c.exe 36 PID 272 wrote to memory of 716 272 1c.exe 36 PID 272 wrote to memory of 716 272 1c.exe 36 PID 716 wrote to memory of 2020 716 cmd.exe 38 PID 716 wrote to memory of 2020 716 cmd.exe 38 PID 716 wrote to memory of 2020 716 cmd.exe 38 PID 716 wrote to memory of 2020 716 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c.exe"C:\Users\Admin\AppData\Local\Temp\1c.exe"1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:1400
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1208
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:2024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\SysWOW64\chcp.comchcp3⤵PID:2020
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1312 -s 17881⤵
- Program crash
PID:224