Overview

overview

10

Static

static

1

02e8c7af37...14.exe

windows10-2004-x64

10

02e8c7af37...14.exe

windows7-x64

10

02e8c7af37...14.exe

windows10-1703-x64

10

02e8c7af37...14.exe

windows10-2004-x64

10

02e8c7af37...14.exe

windows11-21h2-x64

10

Resubmissions

17-04-2024 15:10

240417-skjktade45 10

17-04-2024 15:10

240417-skhzaade44 10

17-04-2024 15:10

240417-skhcrafa4s 10

17-04-2024 15:10

240417-skgq8ade42 10

17-04-2024 15:10

240417-skgffsde39 10

15-04-2024 12:57

240415-p6157shb6w 10

15-04-2024 12:56

240415-p6n6mshb5y 10

15-04-2024 12:56

240415-p6ft9seh37 10

15-04-2024 12:56

240415-p6exzaeh36 10

15-04-2024 12:56

240415-p6d1nseh34 10

Analysis

  • max time kernel
    1194s
  • max time network
    1131s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-04-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02e8c7af3724ff535da627197920ad14.exe

  • Size

    1.2MB

  • MD5

    02e8c7af3724ff535da627197920ad14

  • SHA1

    794bd6f52a9673e1146321fa2545c580858c0d5f

  • SHA256

    ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c

  • SHA512

    8a8710ffced04c30f5c43c71ebcbcf56f7b096836f67d1a847db4a8df4f39e291f3e7119f45f03fa1ca0abd0021f81abd31bb775fa22fe2340c1cf24f19f2555

  • SSDEEP

    24576:XHtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY0Dyk:XHtV7GwBSTc8An/4YFk

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe
    "C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:3716
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2704
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:3288
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3892
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:96
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\System32\xfs
    Filesize

    279KB

    MD5

    1d1b382a5774107d96f423318a990a01

    SHA1

    fa7ff2c9e8a32d65419a46e41a71dfee72c64d13

    SHA256

    7739f66cfd4f8362b6195eabb0565c8db8b1af834132650c4d463fb4ebb014c9

    SHA512

    cf9fb818b22c80ece3e71e7ee2b99d7f59547db38b1ca0d9825d91b8d75f9a11466700e9ed433cecc10f70deea1538ec7f429919694395d64347fb81b086afce

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    c54cde3ceede65db57e1ef09429038d6

    SHA1

    d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7

    SHA256

    80a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb

    SHA512

    1677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    266e6ba1e573795d20005aef2649d7d1

    SHA1

    0bd2c556686b35e89e6619d43fd6766a49a8c549

    SHA256

    2daf8fc8c7de0efbc14bab5dcf44ab9d4027bb68b417413f40cc038cb87f9686

    SHA512

    000bb906ccb70dfdfcda226423172b36abae9487ab280ba74caf6093b506fc803f17272ba347e369371d16f0e81d337e224cbb878a511ac356a24c2b708f132a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    53a1264b64e3b5b0d8f3c913e97524e2

    SHA1

    85a684869f8721cb327cf7f6fb3ce8f2b39e80e9

    SHA256

    9353985c11ae4085208fcd8527fe754bf3feda7bc1c93efe0ba0bcf98f37594a

    SHA512

    c50ee6e14cae24769d211e46bebd7bebfc684132baa1f67930434709505acbd1b74885efc28acd8c3c43885f12599e135594dcca89c96ccbd6b7a11689da945a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    fb461d45a6d2058895b1c2a38795bdf1

    SHA1

    0e5de2705a06ae421e983d8440501b3f32796a17

    SHA256

    2a969b72f1e86d05bb6952092beae69168f66129686f76494e972595c5ca27e4

    SHA512

    b5ea3f9aacc4b0c47f56cada0cd999bddda2e5bacaaf3ed8a27726dc6795bc1fc8165a007c407f3b5c698c553072113e5cd523f4cbef0b684356131efef3b1e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    Filesize

    1024KB

    MD5

    eba4e0b01ffe34626b5e200d18741b66

    SHA1

    1b5c320a0d0df24fa823d3e7d089e25a0db6a0a5

    SHA256

    ff580f5b35bf1846a5250e56ee820d7fa1c7adb54784562da5907ee0d896d438

    SHA512

    909910ec8fd0041f61935533779c4c0dbf4848b4a1d688cb1c37139cfdcaef3b3e49f7e747fd015efa0da4446de7b9098bdb5724fc683fc52e634b6daa2f45db

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    Filesize

    24B

    MD5

    ae6fbded57f9f7d048b95468ddee47ca

    SHA1

    c4473ea845be2fb5d28a61efd72f19d74d5fc82e

    SHA256

    d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

    SHA512

    f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    834ea5b8eae0cc502fffec8ed6ff4b7c

    SHA1

    c5b4e9d46caa0fc37d75aefbf51dc645b5c71fd4

    SHA256

    8c32b3ae58dea844c66d3b1a76ea614c55f71a08bc6f223e73ceb6457855a674

    SHA512

    51d2604b87a39b1cb90692332d9b88ea15d4970a36c8d1c8646b1cf3ec9737bd71a12d66a27ae3087d43289969a939042bc389a4b5875ca3ddb2a087ccac80ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    0633796ab930ea8d081cfb4cc57b430a

    SHA1

    ab57a0a01aaf6e260e178f2e97e2bbba8b269511

    SHA256

    3de12d4c03ed711164d1f8e529a9dc821a16820f1412cf4c41afb56ddd728736

    SHA512

    f930061289b899724db5ea27450516b44cb98bcb6f1f11f568910e851d3d5884e2b49b63c73f41a904d141239dd6a6b7ec94cda83df0f60960455f612a78c677

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MOQY2KJ2\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    a40fcf38d6fdec817b488bbbf7f66e01

    SHA1

    275e010f68ffc2bbc5d7b2694d095a9af29f2339

    SHA256

    baa5e954381c0ad2a5f3863f9a3a2f5c5c81d89796de753f54dbf7b9faaec8ba

    SHA512

    9dd19e3e3e00952100ee7dc64fe04cfa81122287ce2d5c28febb20a5ce2003e495d5f7090849b656dd031f22342835956c575ec93a86878cbdff8bb86ae5336d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\3569863035698630.bmp
    Filesize

    2.6MB

    MD5

    993cc909a89f0fb7fe90acc3703c2105

    SHA1

    f422cdcb426718b235a19080b0daf71c9b448768

    SHA256

    4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8

    SHA512

    5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

    Download Submit

  • memory/1888-39-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-45-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-12-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-13-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-14-0x00000000006E0000-0x00000000007B5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/1888-15-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-16-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-17-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-18-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-19-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-22-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-23-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-24-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-25-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-26-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-27-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-28-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-29-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-30-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-31-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-32-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-33-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-34-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-35-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-36-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-37-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-38-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-8-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-40-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-41-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-42-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-43-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-44-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-11-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-46-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-47-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-48-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-49-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-50-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-51-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-52-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-53-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-54-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-55-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-56-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-57-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-58-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-59-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-60-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-61-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-62-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-63-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-64-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-65-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-66-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-67-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-5-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-4-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-3-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-2-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-1-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-0-0x00000000006E0000-0x00000000007B5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/1888-68-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-69-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-70-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-71-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-72-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download