Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-04-2022 21:41
Static task
static1
Behavioral task
behavioral1
Sample
???? ?????? ?????? ??????????? ??????.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
???? ?????? ?????? ??????????? ??????.js
Resource
win10v2004-20220414-en
General
-
Target
???? ?????? ?????? ??????????? ??????.js
-
Size
6KB
-
MD5
a0eda7011826f1fd9570cbca604f6d56
-
SHA1
34945745f5f129acc032522d44e5b4d76a68f792
-
SHA256
6c99965799210d23afbd37fca69f810854f548ded8f600ecd93c3990d8d2bdda
-
SHA512
ecf3beb5898bd3df212bfa6204b8496f1dd90d80daa19112f181defe25ff81b0ebc36fb4ec8f0d6dbade5af08df111f423862ee884682c847eaeb169f9f7ca47
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Blocklisted process makes network request 4 IoCs
flow pid Process 4 2592 wscript.exe 6 2592 wscript.exe 22 2592 wscript.exe 23 2592 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1724 radB0D00.tmp -
resource yara_rule behavioral2/memory/1724-135-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral2/memory/1724-136-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ radB0D00.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" radB0D00.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1724 radB0D00.tmp 1724 radB0D00.tmp 1724 radB0D00.tmp 1724 radB0D00.tmp -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2556 2592 wscript.exe 87 PID 2592 wrote to memory of 2556 2592 wscript.exe 87 PID 2556 wrote to memory of 1724 2556 cmd.exe 89 PID 2556 wrote to memory of 1724 2556 cmd.exe 89 PID 2556 wrote to memory of 1724 2556 cmd.exe 89
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\____ ______ ______ ___________ ______.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\radB0D00.tmpC:\Users\Admin\AppData\Local\Temp\radB0D00.tmp3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1724
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD587ab5f476d4351224d893e267cc30d3b
SHA122e1fefd40bde744c165d316db26e88b5f4e6e70
SHA256ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
SHA5127eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183
-
Filesize
1.2MB
MD587ab5f476d4351224d893e267cc30d3b
SHA122e1fefd40bde744c165d316db26e88b5f4e6e70
SHA256ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
SHA5127eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183