Overview

overview

10

Static

static

1

53e3bb561c...07.exe

windows10-1703-x64

10

Resubmissions

07-04-2024 06:19

240407-g267nafd52 10

07-04-2024 06:18

240407-g2zgtaeh51 10

07-04-2024 06:17

240407-g2jrcsfd36 10

07-04-2024 03:06

240407-dl39aaca62 10

06-03-2022 02:16

220306-cp91kabeel 10

Analysis

  • max time kernel
    1190s
  • max time network
    1072s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07-04-2024 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53e3bb561c54df00565fba06ddf477f9980e734e543c85103d8c073cb13a5107.exe

  • Size

    1.4MB

  • MD5

    0bb5679dae9b16d3926be4b2c8c596d7

  • SHA1

    f0d68b1798913c37b3c19970262e3d0e63558232

  • SHA256

    53e3bb561c54df00565fba06ddf477f9980e734e543c85103d8c073cb13a5107

  • SHA512

    31ac1246975c6d432a1751997a83e2fec5fb91ba538915be08d67a5db385adb22d994f1d19ebb1374e0bad07accf7b1b892f5f68a6e6cbb0e71cc08479fff4ee

  • SSDEEP

    12288:GBpIwAR/kkMD/thCtMybHDYmCTO8f9QdQ0qqA28tHbgPXv5uT8rsOJLnM27GZe/:G7Iw8cjhSHDY3XQ2WzC7guYrNJDM26y

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\53e3bb561c54df00565fba06ddf477f9980e734e543c85103d8c073cb13a5107.exe
    "C:\Users\Admin\AppData\Local\Temp\53e3bb561c54df00565fba06ddf477f9980e734e543c85103d8c073cb13a5107.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:2164
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:4456
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:2132
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:856
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1748
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\System32\xfs
    Filesize

    263KB

    MD5

    1ccbb0cb0c653ca50674020d76709c47

    SHA1

    bb26515c238ec01241d04d8d177cfbc0c6f10101

    SHA256

    83104135e3f282ac6f8217d9364c5f861fb725335dbf7c99f3b04767e655e312

    SHA512

    c3878ffe37475209004be8877684fab51395120f3a2f1c9000c6ecb8f280d778744d0abfdb02b2ad78730feff3dd37969817e7a48c6006b170027e5e1f049184

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    eec3fe6baad1a086027cdd438077289c

    SHA1

    7d85f86f8447d3c16d85406bf39fb3def1a8cf82

    SHA256

    5b4aaee1e8e08ca9dbcb68bf922d6cac5b61b0c2c7bf00a272c65dc881d50d57

    SHA512

    f8ea256986ba1948104e2e72f03ebd699f6a6ecac9db0642a23115e9a48c984b7fb01026bf312e6bab494b4505033a684fa19d8955bc303e30f0739cbf664ef4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    bc449dda9fe63a89b82180a57844f236

    SHA1

    cc6137d827e95848a4f6594ac4ef3e036b9e67a3

    SHA256

    08f241e045db9b1ee04672c05954bd26d83c37df1b0856e1f05015e42647e286

    SHA512

    f792cff0267964da462357f43d718a6909f67e2a64948330b21abfaacc1243dc614591d850b88cc6f8d7ed388940b63c287366fc09e90c21a153f14e33c6fe5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    5a9642d459cbf1be05ca5e52a4a9142d

    SHA1

    24eb0bebddff4e3e58de4583a94c7453e8f89dc6

    SHA256

    16bafbf0aeda01f8287aae20e90f91eb85dc0f3129510d0a1da3777232a7935a

    SHA512

    a24fbc22be9bb5b137266d5928ac48e0e3627d88e4608351d06a8cae732ad673d529be451d19281079617669eaa8cacc3e023e3361db3a3533728fb670b03ff0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    6eda9b967c1e6522f0bd809588905b77

    SHA1

    c76327a9568e277fe28ff1baaaf37c673d6f7121

    SHA256

    a66f5e20a7b8b677138974fc4eca8ee258257451e6b3145e8dbcb514199acb00

    SHA512

    dd3dcc9bb9575b0bb1353b11e4155db5e61a337c5793ece7aab820e2b79ba1475279af72c49789f7e2920015b357af817687d65e77bca2a262a5b4898a7946df

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    Filesize

    1024KB

    MD5

    a802cd9f9b6815ffd81a9dbd919e6b18

    SHA1

    2c271c0efc1bbe3b3471d6d21ad7d35c114d2c78

    SHA256

    d418e46e6fd2687d8ad5d5a74553f20b1588fd8549ed7d21ea1fbd55fa7d64ea

    SHA512

    7e27ab0cc0b88ee5019169cb07d92a815eaf8643cc253a0d4fd6e90672fd1cf862eefcdf679168c3676cf252ab5fe095050e007c9d93bc34e5951dac8c5863f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    Filesize

    24B

    MD5

    ae6fbded57f9f7d048b95468ddee47ca

    SHA1

    c4473ea845be2fb5d28a61efd72f19d74d5fc82e

    SHA256

    d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

    SHA512

    f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    9522befc1aad13eb899f4bb05bf4bebe

    SHA1

    c3c22fb61caea0e19fd8ccf57ab67dcd315b224c

    SHA256

    f5d3e82788f15188fe6f5ef010330b74b951111eaab4cc40fdf193d74dffa354

    SHA512

    f4e5b900b85b1d6e2aaa95ba2b459af672c683bd02dd87c01d5b251189f933722d1470f68c98bc275db9ad4b35955c94733d1ab846e6b6ba024ac6b268bf8f63

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    6bc50f583f93fe2914a7198c36a07038

    SHA1

    81f4eb344b03f76edcdc5a7d1688e31f8db476f0

    SHA256

    b8b337c81b9273390d4df614c1725e2fc931ab9957208163d99f158d0a984ee6

    SHA512

    db69ef8769033ba219be6a7b96c863cc7c2a6118262bb078cedadc1fd7c776750d8f629e395c69be97b7519629487615be05279430f6b22e3d0978cb5f793452

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4GLL2V85\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    b970f95d24ba832ecf304dfbab8be7e4

    SHA1

    d48dcbcd7b3ccd8a16dbb2148c88cd5b4f9c5186

    SHA256

    5443e94af41ecb5551b5866150ff4721f34d66b8665b60d0afb1baf99fe92987

    SHA512

    ba96b862242bad8386e635ccf89f451b59c6522db90a00005cdccdd771dc036b4c53f69f3cfabdced769d4fa86eaaaaf1873dfe242bbd8c96aa0bff04dfd2d27

    Download Submit

  • C:\Users\Admin\AppData\Roaming\FBF5A0B1FBF5A0B1.bmp
    Filesize

    2.6MB

    MD5

    993cc909a89f0fb7fe90acc3703c2105

    SHA1

    f422cdcb426718b235a19080b0daf71c9b448768

    SHA256

    4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8

    SHA512

    5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

    Download Submit

  • memory/3012-39-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-45-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-12-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-13-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-14-0x0000000002230000-0x0000000002305000-memory.dmp

    Filesize

    852KB

    Download

  • memory/3012-15-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-16-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-17-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-18-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-19-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-22-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-23-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-24-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-25-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-26-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-27-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-28-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-29-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-30-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-31-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-32-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-33-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-34-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-35-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-36-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-37-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-38-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-8-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-40-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-41-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-42-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-43-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-44-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-11-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-46-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-47-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-48-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-49-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-50-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-51-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-52-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-53-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-54-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-55-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-56-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-57-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-58-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-59-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-60-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-61-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-62-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-63-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-64-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-65-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-66-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-67-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-5-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-3-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-4-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-2-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-1-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-0-0x0000000002230000-0x0000000002305000-memory.dmp

    Filesize

    852KB

    Download

  • memory/3012-68-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-69-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-70-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-71-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3012-72-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download