Overview

overview

10

Static

static

1

cc8a92319d...53.exe

windows7-x64

10

cc8a92319d...53.exe

windows10-1703-x64

10

cc8a92319d...53.exe

windows10-2004-x64

10

cc8a92319d...53.exe

windows11-21h2-x64

10

Resubmissions

29-01-2023 18:09

230129-wrszlshh51 10

Analysis

  • max time kernel
    1790s
  • max time network
    1587s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-04-2024 12:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc8a92319d9e60f28bfbcd88451a6fccfa997169ac85a121c710b13235198353.exe

  • Size

    1.4MB

  • MD5

    3ebe6fc2765d0c6d7286b19d2cd29cd9

  • SHA1

    9aff7f15bccbdd0961fc6d803687b749ef2f304b

  • SHA256

    cc8a92319d9e60f28bfbcd88451a6fccfa997169ac85a121c710b13235198353

  • SHA512

    3bdf9a3900b78ccd10f2ca004001f14cec8213d7eca8d1e6d12f9718df0883e2d1d9efca256101bdf915eff98f2472e7605f12b8ebb24c9ad02e7f043d4129c7

  • SSDEEP

    24576:C3IpPeRM4fkcxdvdnjqtei/y1RNSA4QGF4ivjis:3P6fkUdFnjqkj1vSA5Li1

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc8a92319d9e60f28bfbcd88451a6fccfa997169ac85a121c710b13235198353.exe
    "C:\Users\Admin\AppData\Local\Temp\cc8a92319d9e60f28bfbcd88451a6fccfa997169ac85a121c710b13235198353.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:2432
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3660
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:4072
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3228
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4392
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\System32\xfs
    Filesize

    209KB

    MD5

    a57a0dd1242b7e21d164180c6db236ba

    SHA1

    6e62240fb2139d7c4ab19ffc9d439622d9a2c4b5

    SHA256

    242cc9a368cd0a0b4e1a615f168064cd995846f645d7fce615189ad4144b4f35

    SHA512

    39fb51e68319a00f059a0cf8f609c7a0901212a10df17f7af54cb235387e3bea528180b10c8cff74a6c3f397ba974024b18d39604734f3f91c9350270848988e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    c54cde3ceede65db57e1ef09429038d6

    SHA1

    d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7

    SHA256

    80a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb

    SHA512

    1677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    8ef9936456c131da538f4c76ba83b709

    SHA1

    0b555b319bebac2f2630a06ac3a15de49127de35

    SHA256

    1afb7062c144962069706a6a8977f2c27787dedaacacbfc1261375e5b6717b77

    SHA512

    a7e5544a90add49cf823603e88106cf0c5754943c0a38b82a9e0f7345ff82775253a52a380918aa8d4a9ba9003f195bef0da12cea34d79a1c944a9202fb2b324

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    0354267075ce1001c331b88fb837075b

    SHA1

    5bcdc047dca33034598686305f11afe74f4af552

    SHA256

    7a6c56c2b3aa9b41f64154a94873a260f9ce4b7a1a6d52034dd26489d12d3a7c

    SHA512

    c772a6fa4cd2056dbb585f9d7c0e99752ce8e9b42d01371b65e21174b03c5a328b9daaa45d46459d0e44364395e0cdff73773cd5dd13ce17011290c326f9c4cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    Filesize

    1024KB

    MD5

    eba4e0b01ffe34626b5e200d18741b66

    SHA1

    1b5c320a0d0df24fa823d3e7d089e25a0db6a0a5

    SHA256

    ff580f5b35bf1846a5250e56ee820d7fa1c7adb54784562da5907ee0d896d438

    SHA512

    909910ec8fd0041f61935533779c4c0dbf4848b4a1d688cb1c37139cfdcaef3b3e49f7e747fd015efa0da4446de7b9098bdb5724fc683fc52e634b6daa2f45db

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
    Filesize

    1024KB

    MD5

    2377af00803d99f858bbd22273e0859a

    SHA1

    a6b717ec0c259edc89a4074d38e9e8f8734beaf1

    SHA256

    aa915f14c1224bf1225f6a7c0f8839827d9fbde806de804790bf2ce3f75d79d2

    SHA512

    07d4e4a870d9d759cfddcba9b08658c5bc0f0a3e5db154ac709595aec100e319f4523a47f703d318e3d8269908438eb9d1fda48028ab3a4fcede16d5506e471b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    Filesize

    24B

    MD5

    ae6fbded57f9f7d048b95468ddee47ca

    SHA1

    c4473ea845be2fb5d28a61efd72f19d74d5fc82e

    SHA256

    d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

    SHA512

    f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    0e654ecdec45adc18a3d64298927bce7

    SHA1

    ecc5f480bcf7bce45f7e63994d5778bdee3d3b57

    SHA256

    e8aff002f34861ec58f3e6e74fa0abc114991f30a87f2183144df38949d6bb19

    SHA512

    2588309ac7b10ea42d172834c8e088034ba8f444fda9a13e6059344bacfbc21f0614800b981bccb8439f5816792dc38baf6a6c3af7103599574ca6c723525380

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MOQY2KJ2\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    5fc7de7b1058096770e5b850cf3da069

    SHA1

    2fa768aa22738369e7fa918b43188638f1af4141

    SHA256

    3fa2ffe2a04b846d218c972daa810f355490cc458790a7d9ace39033233d79e9

    SHA512

    76585b0813a0eb9dda3fe34401bd1a46bbd8825a6e1782075d5a261306b20a7099e2929d8586aac4934d4f0665ea494e77db0041c47e1fb282aa3b8866b50a04

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2714542D2714542D.bmp
    Filesize

    2.6MB

    MD5

    993cc909a89f0fb7fe90acc3703c2105

    SHA1

    f422cdcb426718b235a19080b0daf71c9b448768

    SHA256

    4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8

    SHA512

    5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

    Download Submit

  • memory/4588-39-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-44-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-11-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-12-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-13-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-14-0x00000000022E0000-0x00000000023B5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/4588-15-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-16-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-17-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-20-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-21-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-22-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-23-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-24-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-25-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-26-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-27-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-28-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-29-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-30-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-31-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-32-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-33-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-34-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-35-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-36-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-37-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-38-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-5-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-40-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-41-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-42-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-43-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-8-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-45-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-46-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-47-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-48-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-49-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-50-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-51-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-52-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-53-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-54-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-55-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-56-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-57-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-58-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-59-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-60-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-61-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-62-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-63-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-64-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-65-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-66-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-4-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-3-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-2-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-1-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-0-0x00000000022E0000-0x00000000023B5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/4588-67-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-68-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-69-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-70-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4588-71-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download