Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-04-2022 21:41
Static task
static1
Behavioral task
behavioral1
Sample
???? ?????? ?????? ??????????? ??????.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
???? ?????? ?????? ??????????? ??????.js
Resource
win10v2004-20220414-en
General
-
Target
???? ?????? ?????? ??????????? ??????.js
-
Size
6KB
-
MD5
a0eda7011826f1fd9570cbca604f6d56
-
SHA1
34945745f5f129acc032522d44e5b4d76a68f792
-
SHA256
6c99965799210d23afbd37fca69f810854f548ded8f600ecd93c3990d8d2bdda
-
SHA512
ecf3beb5898bd3df212bfa6204b8496f1dd90d80daa19112f181defe25ff81b0ebc36fb4ec8f0d6dbade5af08df111f423862ee884682c847eaeb169f9f7ca47
Malware Config
Extracted
C:\README1.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README2.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README3.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README4.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README5.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README6.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README7.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README8.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README9.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Extracted
C:\README10.txt
http://cryptsen7fo43rr6.onion/
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2004 wscript.exe 5 2004 wscript.exe 7 2004 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1084 rad820DA.tmp -
resource yara_rule behavioral1/memory/1084-61-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral1/memory/1084-62-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 2004 wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ rad820DA.tmp Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" rad820DA.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif rad820DA.tmp File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml rad820DA.tmp File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png rad820DA.tmp File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png rad820DA.tmp File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg rad820DA.tmp File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\cpu.css rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png rad820DA.tmp File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm rad820DA.tmp File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png rad820DA.tmp File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js rad820DA.tmp File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png rad820DA.tmp File opened for modification C:\Program Files\Java\jre7\lib\jvm.hprof.txt rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif rad820DA.tmp File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png rad820DA.tmp File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml rad820DA.tmp File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png rad820DA.tmp File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt rad820DA.tmp File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml rad820DA.tmp File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png rad820DA.tmp File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm rad820DA.tmp File opened for modification C:\Program Files\7-Zip\Lang\sl.txt rad820DA.tmp File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml rad820DA.tmp File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css rad820DA.tmp File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt rad820DA.tmp File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png rad820DA.tmp File opened for modification C:\Program Files\7-Zip\Lang\va.txt rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml rad820DA.tmp File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png rad820DA.tmp File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml rad820DA.tmp File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\manifest.json rad820DA.tmp File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png rad820DA.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2020 vssadmin.exe 524 vssadmin.exe 1736 vssadmin.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1084 rad820DA.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1084 rad820DA.tmp 1084 rad820DA.tmp -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1452 vssvc.exe Token: SeRestorePrivilege 1452 vssvc.exe Token: SeAuditPrivilege 1452 vssvc.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1084 rad820DA.tmp -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1724 2004 wscript.exe 29 PID 2004 wrote to memory of 1724 2004 wscript.exe 29 PID 2004 wrote to memory of 1724 2004 wscript.exe 29 PID 1724 wrote to memory of 1084 1724 cmd.exe 31 PID 1724 wrote to memory of 1084 1724 cmd.exe 31 PID 1724 wrote to memory of 1084 1724 cmd.exe 31 PID 1724 wrote to memory of 1084 1724 cmd.exe 31 PID 1084 wrote to memory of 2020 1084 rad820DA.tmp 32 PID 1084 wrote to memory of 2020 1084 rad820DA.tmp 32 PID 1084 wrote to memory of 2020 1084 rad820DA.tmp 32 PID 1084 wrote to memory of 2020 1084 rad820DA.tmp 32 PID 1084 wrote to memory of 524 1084 rad820DA.tmp 36 PID 1084 wrote to memory of 524 1084 rad820DA.tmp 36 PID 1084 wrote to memory of 524 1084 rad820DA.tmp 36 PID 1084 wrote to memory of 524 1084 rad820DA.tmp 36 PID 1084 wrote to memory of 1736 1084 rad820DA.tmp 38 PID 1084 wrote to memory of 1736 1084 rad820DA.tmp 38 PID 1084 wrote to memory of 1736 1084 rad820DA.tmp 38 PID 1084 wrote to memory of 1736 1084 rad820DA.tmp 38 PID 1084 wrote to memory of 108 1084 rad820DA.tmp 40 PID 1084 wrote to memory of 108 1084 rad820DA.tmp 40 PID 1084 wrote to memory of 108 1084 rad820DA.tmp 40 PID 1084 wrote to memory of 108 1084 rad820DA.tmp 40 PID 108 wrote to memory of 660 108 cmd.exe 42 PID 108 wrote to memory of 660 108 cmd.exe 42 PID 108 wrote to memory of 660 108 cmd.exe 42 PID 108 wrote to memory of 660 108 cmd.exe 42
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\____ ______ ______ ___________ ______.js"1⤵
- Blocklisted process makes network request
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\rad820DA.tmpC:\Users\Admin\AppData\Local\Temp\rad820DA.tmp3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows4⤵
- Interacts with shadow copies
PID:2020
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:524
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows4⤵
- Interacts with shadow copies
PID:1736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\chcp.comchcp5⤵PID:660
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD587ab5f476d4351224d893e267cc30d3b
SHA122e1fefd40bde744c165d316db26e88b5f4e6e70
SHA256ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
SHA5127eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183
-
Filesize
1.2MB
MD587ab5f476d4351224d893e267cc30d3b
SHA122e1fefd40bde744c165d316db26e88b5f4e6e70
SHA256ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
SHA5127eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183