troldesh | e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4

Resubmissions

29-01-2023 18:07

230129-wqck8sgd68 10

Analysis

max time kernel
1566s
max time network
1567s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-04-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
Size

1.1MB
MD5

7e921e11caeb6f9594fa286d217af62e
SHA1

9253c2e0c30b7279fe6cf6a052b55b2b43ee2f84
SHA256

e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4
SHA512

8d5af1af21e4a24d5546515d9f2af5a51598de7e5e335e139c38f5f426fdb0359dabb00ea6e0d0b84846781be553a8ab234b1b6c9cdf429100569101ba055fcc
SSDEEP

12288:n0FWRGqrviIa4un1WnkOJz2CFBsZX/STM3f7rUuWe+UmXELXSLbFUhNl7T7R+UtU:MunKIaNAnkOEKBslQU8ELitm/DtVy

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1720-1-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-2-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-3-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-4-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-5-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-7-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-6-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-11-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-13-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-16-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-38-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-43-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-44-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-45-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-46-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-47-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-42-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-41-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-40-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-37-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-48-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-50-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-51-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-49-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-52-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-53-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-54-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-55-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-56-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-57-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-58-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-59-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-60-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-61-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-62-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-63-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-64-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-65-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-66-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-67-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-68-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-69-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-70-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-71-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-72-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-74-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-73-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-75-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-76-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-77-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-78-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-79-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-80-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-81-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-82-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-83-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-84-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-85-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-86-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-87-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-88-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-89-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-90-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral1/memory/1720-91-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

description ioc process

File opened (read-only) \??\F: e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

description	ioc	process
File opened (read-only)	\??\F:	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\355AF29F355AF29F.bmp"	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

Drops file in Program Files directory 64 IoCs

Processes:

e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\gadget.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\locale.ini	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

268 vssadmin.exe
1692 vssadmin.exe
1168 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

pid process

1720 e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
1720 e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 452 vssvc.exe
Token: SeRestorePrivilege 452 vssvc.exe
Token: SeAuditPrivilege 452 vssvc.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

pid process

1720 e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

pid	process
268	vssadmin.exe
1692	vssadmin.exe
1168	vssadmin.exe

pid	process
1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

description	pid	process
Token: SeBackupPrivilege	452	vssvc.exe
Token: SeRestorePrivilege	452	vssvc.exe
Token: SeAuditPrivilege	452	vssvc.exe

pid	process
1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe

description	pid	process	target process
PID 1720 wrote to memory of 268	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 268	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 268	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 268	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 1692	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 1692	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 1692	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 1692	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 1168	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 1168	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 1168	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe
PID 1720 wrote to memory of 1168	1720	e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe
"C:\Users\Admin\AppData\Local\Temp\e5379ed6dfd3130a49dcddcdddec6b21c7f90d7dee15fc9219e7ccaa0fad87d4.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:268

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1692

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe List Shadows
2⤵
- Interacts with shadow copies
PID:1168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\System32\xfs
Filesize
96KB

MD5
38f7f1d9c1885e093e7c24fd56e9ab34

SHA1
934c10b1b97145c3e5c472db28d49def3c66e3d0

SHA256
4beea86f8293ff9c3d981e1c9311f01fb3660e8e69857fed815ff86bf265827d

SHA512
9286702042ef95dc74cfe640abb971ea45586616d7ad635329432fda129f0279484208de151a065531b5939223787001c4db96d4f156bc77e9a91bb663859381

Download Submit
memory/1720-0-0x0000000000320000-0x00000000003F5000-memory.dmp

Filesize
852KB

Download
memory/1720-1-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-2-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-3-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-4-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-5-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-7-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-6-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-11-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-12-0x0000000000320000-0x00000000003F5000-memory.dmp

Filesize
852KB

Download
memory/1720-13-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-16-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-38-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-43-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-44-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-45-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-46-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-47-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-42-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-41-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-40-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-37-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-48-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-50-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-51-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-49-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-52-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-53-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-54-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-55-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-56-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-57-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-58-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-59-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-60-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-61-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-62-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-63-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-64-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-65-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-66-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-67-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-68-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-69-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-70-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-71-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-72-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-74-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-73-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-75-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-76-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-77-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-78-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-79-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-80-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-81-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-82-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-83-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-84-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-85-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-86-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-87-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-88-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-89-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-90-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-91-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1720-92-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download