Overview

overview

10

Static

static

1

02e8c7af37...14.exe

windows7-x64

10

02e8c7af37...14.exe

windows10-1703-x64

10

02e8c7af37...14.exe

windows10-2004-x64

10

02e8c7af37...14.exe

windows11-21h2-x64

10

Resubmissions

17-04-2024 15:10

240417-skjktade45 10

17-04-2024 15:10

240417-skhzaade44 10

17-04-2024 15:10

240417-skhcrafa4s 10

17-04-2024 15:10

240417-skgq8ade42 10

17-04-2024 15:10

240417-skgffsde39 10

15-04-2024 12:57

240415-p6157shb6w 10

15-04-2024 12:56

240415-p6n6mshb5y 10

15-04-2024 12:56

240415-p6ft9seh37 10

15-04-2024 12:56

240415-p6exzaeh36 10

15-04-2024 12:56

240415-p6d1nseh34 10

Analysis

  • max time kernel
    1791s
  • max time network
    1600s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-04-2024 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02e8c7af3724ff535da627197920ad14.exe

  • Size

    1.2MB

  • MD5

    02e8c7af3724ff535da627197920ad14

  • SHA1

    794bd6f52a9673e1146321fa2545c580858c0d5f

  • SHA256

    ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c

  • SHA512

    8a8710ffced04c30f5c43c71ebcbcf56f7b096836f67d1a847db4a8df4f39e291f3e7119f45f03fa1ca0abd0021f81abd31bb775fa22fe2340c1cf24f19f2555

  • SSDEEP

    24576:XHtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY0Dyk:XHtV7GwBSTc8An/4YFk

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe
    "C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:2500
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:5112
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:4144
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5036
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:404
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\System32\xfs
    Filesize

    147KB

    MD5

    adb8632c5f0d104341751d1f6cce1e88

    SHA1

    3ce04d55cb9c801f1b68f05afd49e2f026e3dd7a

    SHA256

    487ebee3c1a22ba8e853b7b7206bfccf83a0bcabbfd40923599d180ee94c774d

    SHA512

    72dd0546e34de5bfa658e2ded153a2714ac3ed46b7a2fa847d4f4b3c43f369cec8f55a15e190fb8667b0a7eb77a08bebff8243f3551a8638681a50b78300ef45

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    45780e7a7272a93d79ffcb62299ac764

    SHA1

    35269860aa2fc01b004ef58c7f28daca783b06bb

    SHA256

    d5e9a5186a2f800e2e34b083c7d24ffe57d48a7044b18a479420b624e7a28c59

    SHA512

    e9debfdc7badd8b88c4bb155071c58ec0a020a92d329e616916e1d52abc0c7e4b218005cdf4b26fcd150f1e993c77d5c1f37445b8a056e38575e1e494858b5d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    61a9c85f433f6241da45315e3852c47c

    SHA1

    7da46584974463e2d40fca056b714fc9b00cbf8c

    SHA256

    bc551c8e8c8227c0f316ea30332b4df54300ff069dd021af009ee0a42e2b992a

    SHA512

    fda9a45ca6036224da9054fba201fd72884490a506736f6288911f5b39c11eb3b1b55e90a4b844de74298a0e0524fd4346e4a5a11859a262764ec16bbb0709f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    dc5b3ce252f2b233958f03ea3bb12a07

    SHA1

    6d91575f8da4e1f407c7082c538af24544adac2a

    SHA256

    8316147893d16addd1cf077df64b9d227a69886e842ac828cd2bfb8c591471e5

    SHA512

    a3574ef68d6270eab20c77b71c9d4e7eb775599dc382eef4376fb196e044168633cacbdfe6c88363edb72b2a7c936e8f4abe47857b2c790024478e6ddceaa0c6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    25fe33a53aab81af0013f2fbd22ddfd4

    SHA1

    43d4b6c4036c0b2d111611968b1459cd382e01db

    SHA256

    bf0749cc008dd84160956117c37ed20293659de3920d5c6c11d8ca96240133d5

    SHA512

    3521e10aac09cda744379f38e8675de50220f6849355f18781e339ce7dc89150311d81f473ac3dbcdcddc0c227dfb550a774ef1866769a04c3efbcb51b73d677

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    Filesize

    1024KB

    MD5

    4a5f8cd23701d2608ec285ef1ac4511c

    SHA1

    494c53f4572c074d5f4c9a5c79cc00c8934469dc

    SHA256

    bb9b1cc0b9ced91e5dc883a57c56e89ba2c1069bb33c567b9f5996ea382b76fb

    SHA512

    c675051f8250f67c2d998a62ac09924176129295e663a77ed55812170f1837a0cad21f06064f03e65b7add0efb2a4c41bdc88f2eea84a53e68ee95895a969e34

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
    Filesize

    1024KB

    MD5

    c38e100c17dc4755c840efd13132b4d8

    SHA1

    a0959e22efaf754160470c2587ae6e07b4e28130

    SHA256

    aa981c53ab06db0cd2b22ae8d45c4e2e2153f2ff27af777e2429e887780c9d63

    SHA512

    68719ac2652c564aa810b563cc1f1d43e3e85f31669a780bfcc12d97dd4a2026c6a6a8d7947a3af0d8d2a25f7ac8fa4664c1ff5076422ca2a7c651b238f7f665

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    Filesize

    24B

    MD5

    ae6fbded57f9f7d048b95468ddee47ca

    SHA1

    c4473ea845be2fb5d28a61efd72f19d74d5fc82e

    SHA256

    d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

    SHA512

    f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    6f6a64f29f4f92e2864508559cb56a9b

    SHA1

    8b97726548e31fa0da0050d0f861f4f10e0e8c03

    SHA256

    dc935f3fd8a2999918ae5a15b0389376ab84de3dda4298b64b0faf2df155d064

    SHA512

    fee966bf5405fcaee3dda8f7d887822b1125c9e72779f0e7d672e286e587047b741b5f34f65825951142b4663e0be44062e031fa13aeb4014e2f5e4c2be20670

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    5cd9dc8713e3fe0ae72a29d7a6ab3187

    SHA1

    8ff4bf1ede118d8d3606591a727a470f830ee62b

    SHA256

    3ace03851dd99e44ad66eb740d573ff9f4e94729e58bce8113b317ec9ab9718d

    SHA512

    178c8e4629693e39433d7e9f37101d27e2bba89214cdd0029b24d315360cd61dd0f671ee271ca017bc72671f65558ee827968405c728d887d0a012498e08d6d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5PWHOEW3\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    076eab040fe5803e7c1f0d59de1a7269

    SHA1

    90c9e8661771a1dc7fe18764deba5b206e36842f

    SHA256

    4e9582128784c89d9f9884e6fc7e96ada86f92ea92ff17e95ccdc3dbcc2fe837

    SHA512

    99cf0569d4700c4af87984b5db1f1d62092d0d82f02f65fadb3d0b984eedef9df5c13a76c0d0c3571bb8c0ecf29358df8994f634aebb6577f7a31640c7918eab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\667B0773667B0773.bmp
    Filesize

    2.6MB

    MD5

    993cc909a89f0fb7fe90acc3703c2105

    SHA1

    f422cdcb426718b235a19080b0daf71c9b448768

    SHA256

    4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8

    SHA512

    5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

    Download Submit

  • memory/1284-39-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-46-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-13-0x00000000006E0000-0x00000000007B5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/1284-14-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-15-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-16-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-17-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-18-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-19-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-22-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-23-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-24-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-25-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-26-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-27-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-28-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-29-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-30-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-31-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-32-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-33-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-34-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-35-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-36-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-37-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-38-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-11-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-40-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-41-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-42-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-43-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-44-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-45-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-12-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-47-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-48-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-49-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-50-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-51-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-52-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-53-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-54-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-55-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-56-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-57-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-58-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-59-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-60-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-61-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-62-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-63-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-64-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-65-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-66-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-67-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-7-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-5-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-4-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-3-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-2-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-1-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-0-0x00000000006E0000-0x00000000007B5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/1284-68-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-69-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-70-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-71-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1284-72-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download