Resubmissions
17-04-2024 15:08
240417-sh9dfsdd79 1017-04-2024 15:08
240417-sh8rxseh9s 1017-04-2024 15:08
240417-sh76dsdd78 1017-04-2024 15:08
240417-sh7vmaeh8z 1017-04-2024 15:08
240417-sh684aeh8y 1015-04-2024 11:51
240415-n1dx2sdg29 1015-04-2024 11:51
240415-n1cd8aga41 1015-04-2024 11:48
240415-nygadsdf57 1015-04-2024 11:48
240415-nyfnvsfh8x 1015-04-2024 11:48
240415-nyfc4adf55 10Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 11:48
Static task
static1
Behavioral task
behavioral1
Sample
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Resource
win7-20240215-en
Behavioral task
behavioral3
Sample
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Resource
win11-20240412-en
General
-
Target
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
-
Size
1.2MB
-
MD5
c722f0a20113bb1488382daefda9a358
-
SHA1
4d269f0ec76a564f952c348b32a3b59c34bab2b4
-
SHA256
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4
-
SHA512
534a1acdd94846138086a9912f8c2bcf154e0765f80d0a8432004687c76909fa9ab95adef24b8ec67b10cdff2aa59c50d0bf086e034e3b12f4ea484c7605e991
-
SSDEEP
24576:IIvEq8jlEBPkNShzxh7QjO+NhXh1l/JFfnE88smv:najiNOsbQjOuXh1lvESw
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral4/memory/1508-1-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-2-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-3-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-4-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-5-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-7-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-11-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-12-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-14-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-15-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-16-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-17-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-18-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-19-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-22-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-23-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-24-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-25-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-26-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-27-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-28-0x0000000000400000-0x0000000000608000-memory.dmp upx behavioral4/memory/1508-29-0x0000000000400000-0x0000000000608000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exepid process 1508 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 1508 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 1508 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe 1508 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1508