Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Endermanch...om.exe

windows7-x64

10

Endermanch...om.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2024, 00:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Endermanch@NoMoreRansom.exe

  • Size

    1.4MB

  • MD5

    63210f8f1dde6c40a7f3643ccf0ff313

  • SHA1

    57edd72391d710d71bead504d44389d0462ccec9

  • SHA256

    2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

  • SHA512

    87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

  • SSDEEP

    12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score
10/10
troldeshpersistenceransomwaretrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe
    "C:\Users\Admin\AppData\Local\Temp\Endermanch@NoMoreRansom.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    PID:760
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\UnpublishSearch.cmd" "
    1⤵
      PID:3008
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TestOptimize.ini
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:5012

    Network

    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      194.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      194.178.17.96.in-addr.arpa
      IN PTR
      Response
      194.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-194deploystaticakamaitechnologiescom
    • flag-us
      DNS
      57.169.31.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      57.169.31.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.193.25.171.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.193.25.171.in-addr.arpa
      IN PTR
      Response
      9.193.25.171.in-addr.arpa
      IN PTR
      maatuska4711se
    • flag-us
      DNS
      26.165.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.165.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      140.71.91.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.71.91.104.in-addr.arpa
      IN PTR
      Response
      140.71.91.104.in-addr.arpa
      IN PTR
      a104-91-71-140deploystaticakamaitechnologiescom
    • flag-us
      DNS
      0.205.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.205.248.87.in-addr.arpa
      IN PTR
      Response
      0.205.248.87.in-addr.arpa
      IN PTR
      https-87-248-205-0lgwllnwnet
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.204.248.87.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.204.248.87.in-addr.arpa
      IN PTR
      Response
      0.204.248.87.in-addr.arpa
      IN PTR
      https-87-248-204-0lhrllnwnet
    • flag-us
      DNS
      211.143.182.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      211.143.182.52.in-addr.arpa
      IN PTR
      Response
    • 171.25.193.9:80
      www.v3x4xyp3j3kzvrk.com
      tls
      Endermanch@NoMoreRansom.exe
      3.1kB
       6.2kB
       12
      10
    • 127.0.0.1:51286
      Endermanch@NoMoreRansom.exe
    • 194.109.206.212:443
      Endermanch@NoMoreRansom.exe
      260 B
       5
    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      194.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      194.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      57.169.31.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      57.169.31.20.in-addr.arpa

    • 8.8.8.8:53
      9.193.25.171.in-addr.arpa
      dns
      71 B
       101 B
       1
      1

      DNS Request

      9.193.25.171.in-addr.arpa

    • 8.8.8.8:53
      26.165.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      26.165.165.52.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      140.71.91.104.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      140.71.91.104.in-addr.arpa

    • 8.8.8.8:53
      0.205.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      0.205.248.87.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      0.204.248.87.in-addr.arpa
      dns
      71 B
       116 B
       1
      1

      DNS Request

      0.204.248.87.in-addr.arpa

    • 8.8.8.8:53
      211.143.182.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      211.143.182.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/760-0-0x00000000021F0000-0x00000000022BE000-memory.dmp

      Filesize

      824KB

      Download

    • memory/760-1-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-2-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-3-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-4-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-5-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-9-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-10-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-11-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-12-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-13-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-14-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-15-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-18-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-19-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-20-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-21-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-22-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-23-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-24-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/760-25-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.