Overview

overview

10

Static

static

URLScan

urlscan

https://github.com/E...

windows10-1703-x64

10

Resubmissions

13-01-2023 04:41

230113-fbbsdsaa4w 10

13-01-2023 04:37

230113-e857tsaa3v 6

Analysis

  • max time kernel
    121s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-01-2023 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/NoMoreRansom.zip?raw=true

Score
10/10
troldeshpersistenceransomwaretrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/NoMoreRansom.zip?raw=true
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3176 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1016
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      PID:388
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4240.0.482242239\1304502954" -parentBuildID 20200403170909 -prefsHandle 1552 -prefMapHandle 1544 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4240 "\\.\pipe\gecko-crash-server-pipe.4240" 1624 gpu
        3⤵
          PID:4276
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4240.3.1027094868\1178475606" -childID 1 -isForBrowser -prefsHandle 2248 -prefMapHandle 2276 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4240 "\\.\pipe\gecko-crash-server-pipe.4240" 2320 tab
          3⤵
            PID:3480
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4240.13.1571799648\188238985" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3444 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4240 "\\.\pipe\gecko-crash-server-pipe.4240" 3436 tab
            3⤵
              PID:2496
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:4672
          • C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
            "C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
            1⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            PID:204

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            c095652a90450f6e9ed5dbdcb1f7e807

            SHA1

            e751b539a52150785c0740d444aa759331b985aa

            SHA256

            7dc466e98f2432c283d67159d100a79c1440e6fd132a9b8aa493cc26f8ff1181

            SHA512

            aa00b805ac890c08dc5eb6cd2cd78385e1b0f4228f1ec1466bf6c203ba3359710539f78a11bca7421e55ad55e6eedafbcefbaecfe7345b56b4beffe6ff57875a

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            434B

            MD5

            27e3a35d76f135ee6344f578bbc2f8bd

            SHA1

            922f4b1e8899157a6438831c0248d4aad7df7e65

            SHA256

            ed51d07f1164875b1d265b93c4680246fea4247def13448a94a280e355b87aef

            SHA512

            068248df62b83bbebc7a970ebc221177614073594520ba09fb738f9704d9d446398c31da84f9f81ead160bd1351f252e8e0fb32a36f9b3b3fbfe0688c7e36037

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MYSJUN2Q.cookie
            Filesize

            611B

            MD5

            cd4bf38a9f14559b7f21369023f62e33

            SHA1

            af9e6712d009fd2d2e90a28aa5638c4db68772a0

            SHA256

            86c4854fb0c1248cbc291de0bd8b3b01b6934455b815319e4ee247fa7b38bf5d

            SHA512

            8777f80791557e8600134669001f4bf67010acc920d695768bbee7f23a72ea7f3f8275b493b593c3e50b59ba7484697816a7b19efd1773af9767f4b9952c8cd6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\V3W1EU5Y.cookie
            Filesize

            610B

            MD5

            cd7533166c4e5857eb358a32cec803ab

            SHA1

            51c4c4829299084ee95252c91da910c67ffbe867

            SHA256

            3e8498188a1674caa8ee15008572aac9c58977050fa5be3e0ee165febc46948f

            SHA512

            70f54c6eec4219954d74594b1fd8ac526e76373c7e8776f571f4123e199be8f92f373c682630a17b609999be72127e8981dcda4589ac62f1e282c752fbd5f663

            Download Submit

          • C:\Users\Admin\Downloads\NoMoreRansom.zip.mci2y4m.partial
            Filesize

            916KB

            MD5

            f315e49d46914e3989a160bbcfc5de85

            SHA1

            99654bfeaad090d95deef3a2e9d5d021d2dc5f63

            SHA256

            5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

            SHA512

            224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

            Download Submit

          • memory/204-118-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-119-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-120-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-121-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-122-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-123-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-124-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-125-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-126-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-127-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-128-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-129-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-130-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-131-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-132-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-133-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-134-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-135-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-137-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-136-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-138-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-139-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-140-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-141-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-142-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-143-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-144-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-145-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-146-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-147-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-148-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-149-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-150-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-151-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-152-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/204-153-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-154-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-155-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-156-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-157-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-158-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-160-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-161-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-159-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-162-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-163-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-164-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-166-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-168-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-167-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/204-165-0x0000000002320000-0x00000000023EE000-memory.dmp

            Filesize

            824KB

            Download

          • memory/204-169-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-170-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-171-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-172-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-173-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-174-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-175-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-176-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-177-0x0000000077D30000-0x0000000077EBE000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/204-180-0x0000000000400000-0x00000000005DE000-memory.dmp

            Filesize

            1.9MB

            Download