troldesh | 3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816

Resubmissions

18-03-2024 13:43

240318-q1nhlaag4w 10

Analysis

max time kernel
1192s
max time network
1021s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-04-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
Size

947KB
MD5

39217b125403ff7c755622ef9bbef974
SHA1

9fc607b7c17919c83999bdd119e9cd6bf413101a
SHA256

3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816
SHA512

1252ea94931eaf4426ca1eb94a070645238775c447a09286109fe894c569de29ca502882a0fa34e97e09109c43c486a3aa32081e3a3afef0b6557db59c71fc50
SSDEEP

12288:3+Zn/gJtKaNIBpB+iMMOD30ZnZ47m0T3JF9j3GOF0l7B2FzqL2aZa7rf58bs:3+RYeaNILZi/JDLG60y1aZvs

Score

10^/10

troldesh persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2656-5835-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5838-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5840-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5843-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5844-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5847-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5848-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5849-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5850-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5851-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5852-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5855-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5856-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5857-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5858-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5859-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5860-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5861-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5862-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5863-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5864-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5865-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5866-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5867-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5868-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5869-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5870-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5871-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5872-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5873-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5874-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5875-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5876-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5877-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5878-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5879-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5880-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5881-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5882-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5883-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5884-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5885-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5886-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5887-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5888-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5889-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5890-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5891-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5892-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5893-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5894-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5895-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5896-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5897-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5898-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5899-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5900-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5901-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5902-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5903-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5904-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5905-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5906-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2656-5907-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\B468C154B468C154.bmp"	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\flyout.css	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\picturePuzzle.css	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1892	vssadmin.exe
1068	vssadmin.exe
1936	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2496	vssvc.exe
Token: SeRestorePrivilege	2496	vssvc.exe
Token: SeAuditPrivilege	2496	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1892	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	30
PID 2656 wrote to memory of 1892	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	30
PID 2656 wrote to memory of 1892	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	30
PID 2656 wrote to memory of 1892	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	30
PID 2656 wrote to memory of 1068	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	34
PID 2656 wrote to memory of 1068	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	34
PID 2656 wrote to memory of 1068	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	34
PID 2656 wrote to memory of 1068	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	34
PID 2656 wrote to memory of 1936	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	36
PID 2656 wrote to memory of 1936	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	36
PID 2656 wrote to memory of 1936	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	36
PID 2656 wrote to memory of 1936	2656	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
"C:\Users\Admin\AppData\Local\Temp\3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:1892
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1068
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe List Shadows
  2⤵
  - Interacts with shadow copies
  PID:1936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\catroot2\dberr.txt

Filesize
1KB

MD5
5c3bec99706c8598b345462892d6924c

SHA1
2d44e2b3bd3a9cdf98dd7859dd1c6263a8c6c048

SHA256
b3c2d6892aee6dc6bebb507bd4a03626e70e52bb7ca30ad70ed6ce1d5ce3665a

SHA512
478c8857a480742fd3dd5d4c2423ff6167276628cc0459c41f03c7e3aef68c8636daa58984b9238af9c78442ce343e68ae47b3736cccec144f4eae3469110ca3

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
3KB

MD5
66fd4bd40686493c91313a7e6db7360d

SHA1
fcf451c6a978d83b06929941485efb1c77f534b0

SHA256
a9babb64258a62f62d1a0592e84ce8c90424ff9890d42662e2cadac2b470ca7d

SHA512
a3f15cf6165d91635fa9f4b09cf034bdf8857546216fe0862505e57ff740333b9399585db66bd21f4c8c397f9938297a7e0dfbb877250154884b53692bb35f31

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
4KB

MD5
ab3cf23931ba1cab5d97820e88b464e0

SHA1
d0880dcc221f8c9aeff3ddaddc38f21309401810

SHA256
c49ab48ba3c3b9cb5ee703b4dfa41b65bc67aa0fd105d89f3f4d73f8040fbacc

SHA512
f1902486fbcbaae64e00cba8eef74ea16b0e8562138e7672a37be659331724426d5c748aba1ed77a7ca9ce3287c3991140cc3c2fdb15efc87fd59315eb603ff6

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
2KB

MD5
169860a484f4bfa86db4785e6bb2d45d

SHA1
c01ddf849865cd3ec34ca51c2ea3ee608ff0daef

SHA256
bb383479e564a059dbe50f540e9484c4907e04e68e05040f00a2bafe5144c51a

SHA512
da57f1089ece75b2671f150cb686fe84a599551499aff6af10ae35799c755caaeec249b367ab3d5a783702acc1cf6f07fd631ba12650ae5255821439304dd537

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
2KB

MD5
c392534e2b566dc8120f5463141bafe4

SHA1
719c8acd3ca2eb45c9acd20f8dc6abb21eec1881

SHA256
7a47d75d93702d1327c8e9040d502b372c681c7dd1b23dd754574df5948003f4

SHA512
6803d0d1be8b739c0be7c5fb53bf5e6c2023378f8a904d0fc08866399a2e142d9aa0097eff1ec805c8fc0d8bdc938fa411f2b1a4daadd5d8efaa7207f41d557b

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
3KB

MD5
30004041d49449a4a751919c451dbc1c

SHA1
7077fc7f8a5036f4be4a54aea4fd26e8b438bf5a

SHA256
719a3d2cf812967a517e95ee0c55aa19e1d5f9e9721c59527ec0a305683a8467

SHA512
f9209b9d4655d59befc3fb96b47547a5c1992d8c19382590b06c7a59dc0812f126427e58c910b1ca20c8fc48790c3ad33530765e0a222cc788fbe184e78377f6

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
8KB

MD5
34794a8069f8c5a1b13ada9d635e74fb

SHA1
b739de8c67ad90a33389444fdd11db26d3cb6783

SHA256
b64249e2c6617c20d780d6f2d209ab40c096749e4fd7264a9c36096b99a27cc4

SHA512
92cfd7b691f6481ecb5b1140704003775a356f7f8898c3e70b6eb23ddf743878e9acd0fcf125d304207a20f40104bb21209d1eac35672b89964513344822edda

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
128KB

MD5
6d2dbfaf1d4c34ebe0932de9411cc733

SHA1
e6d6a8256771cd83b17067f530e473fbbcb0eb4a

SHA256
ad32a8a1821e8a07977871c087448926b9a463cd2f3b80732ee606ed9db3ce3d

SHA512
85771106723a4e75bcf02cb3f0b5c9e9ef0e4f7b9827d5740513184bff07ac19df4427430dbf3151b8f141f36cad85e7a3a1794315433864fcc41e4e10a667d5

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
3KB

MD5
8d85a8399f0fca88fab94ffbece62509

SHA1
d18849a32b94f2bac42150897703576dee776ded

SHA256
ecc68893ba0d4c397d5b9b91884de33a09b4c67982c3313cf0aabba67e8faba2

SHA512
7e6eccc6694951b1cfd69272048dc7a61e98f2a33509a75e74c937c969e2d04e0a1157a34fc2ec3dbf4e38f823e1bebb0118c6def440633db55f928d5e55c1aa

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
4KB

MD5
cf34e2d93131b33fdad723f01535e1c4

SHA1
107bcf26711b31fbd0e443ed96a0cbe8d6ddea96

SHA256
e97333ac23c45e24e9903ce78cdb12b24a80d107868860bed23d94b47c9eda41

SHA512
e869891ba801e4ded929b700bd4ca288fb5e085aa15206c45b2347785acfc1b71045f9aab56f522f1aa5cdcde083889bf27939e9d56fabc3689d5253042de5a4

Download Submit
memory/2656-5868-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5900-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5830-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2656-5831-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2656-5832-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2656-5833-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2656-5834-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2656-5836-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2656-5835-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5838-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5840-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5843-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5844-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5845-0x0000000002220000-0x0000000002330000-memory.dmp

Filesize
1.1MB

Download
memory/2656-5846-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2656-5847-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5848-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5849-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5850-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5851-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5852-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5855-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5856-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5857-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5858-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5859-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5860-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5861-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5862-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5872-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5864-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5865-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5866-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5867-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5874-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5869-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5870-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5871-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5863-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5829-0x0000000002220000-0x0000000002330000-memory.dmp

Filesize
1.1MB

Download
memory/2656-0-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5875-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5876-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5877-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5878-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5879-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5880-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5881-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5882-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5883-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5884-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5885-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5886-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5887-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5888-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5889-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5890-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5891-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5892-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5893-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5894-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5895-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5896-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5897-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5898-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5899-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5873-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5901-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5902-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5903-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5904-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5905-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5906-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5907-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5908-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5909-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5910-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2656-5911-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download