Overview

overview

10

Static

static

7

c4a48fbe5d...56.exe

windows7-x64

10

c4a48fbe5d...56.exe

windows7-x64

10

c4a48fbe5d...56.exe

windows10-1703-x64

10

c4a48fbe5d...56.exe

windows10-2004-x64

10

c4a48fbe5d...56.exe

windows11-21h2-x64

10

Resubmissions

17-04-2024 12:14

240417-pesdzsfh4y 10

17-04-2024 12:14

240417-persfsfh4x 10

17-04-2024 12:14

240417-peqv6aec97 10

17-04-2024 12:14

240417-pedktsfh3z 10

17-04-2024 12:14

240417-peczasec87 10

17-04-2024 06:32

240417-ha37csfh67 10

Analysis

  • max time kernel
    1787s
  • max time network
    1576s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-04-2024 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

  • Size

    1.1MB

  • MD5

    20cba77eaae04ca6623cbbe03f9a81d8

  • SHA1

    fd989d3ba9ab0534f48b7cb1d11036a4ed08e431

  • SHA256

    c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856

  • SHA512

    e102e1902d224730fccce9cefc8d9c92471a35a49e64718d2dacd183d629fbc388fd6c6ae3fa5c59115cef061106459b767bec21628339bd712c291ea60a86f9

  • SSDEEP

    24576:VVimLZikdvnYgTcH2JsjaCtxl7j7XFv+RC7WwQOvu+s:VVimLZiSfHJ8aCtxl7nVvwCa8uz

Score
10/10
troldeshpersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
    "C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:4464
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:4952
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:3364
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3548
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2156
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\System32\xfs
    Filesize

    134KB

    MD5

    58cbb02a3184b3f5ecace63572d035de

    SHA1

    339455d9f9145b2782efcde0109bfc6f0aef9296

    SHA256

    53c64ce9d7ad3aed5e02de24dcf92b4188b148ef2f64ea7753c36d4c657b1e26

    SHA512

    1fba4673770c02803e8775e122a9a306f0f059d0511f45ed5b848edc3cb00cc900c7a3f44e0bdf7996dbde2f3c57b39cc5a8367649e54506a92d2fa993ad48db

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    427823dafc3f576a5e378288bb3ddf0c

    SHA1

    2e4a29824b4e277755c9ae68f259b84f223f6256

    SHA256

    daa3945f12ac7eac16d2929dad8ab982525e193c75deb51d3c44d2cd930f2848

    SHA512

    253f92fb3cceb8e16da62cf84a4face1796c01a6dea26fc3b861cf56e76ebe535ea2e0b6751fc889d30c852dc0481dd38690014e82853257297b7965c3c1add7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
    Filesize

    1024KB

    MD5

    c54cde3ceede65db57e1ef09429038d6

    SHA1

    d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7

    SHA256

    80a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb

    SHA512

    1677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    91f7c6330a341a48acb86bd1ccdaff00

    SHA1

    fecedcefcf3831c0b03d63c138846486a69659e4

    SHA256

    2b04941bf1d03c13715a2281089c3cf95162dc8edec866cd178ecd44167f42a8

    SHA512

    a893d9d96da59ea5ffddea7244b9570f4ff299eb4a6d189734da5bdb31bd641ab9515e40857a12919f26b45c1309f593cf9a903836d1cf883ed88f24778b8795

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    7KB

    MD5

    53a1264b64e3b5b0d8f3c913e97524e2

    SHA1

    85a684869f8721cb327cf7f6fb3ce8f2b39e80e9

    SHA256

    9353985c11ae4085208fcd8527fe754bf3feda7bc1c93efe0ba0bcf98f37594a

    SHA512

    c50ee6e14cae24769d211e46bebd7bebfc684132baa1f67930434709505acbd1b74885efc28acd8c3c43885f12599e135594dcca89c96ccbd6b7a11689da945a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
    Filesize

    1024KB

    MD5

    3aabc4bf6bdd14699294220f6a1f4729

    SHA1

    9a47a69b8371dc499aaf36df4949e4fd7c9c68d3

    SHA256

    da398c29b43f27b898b0ab0b389c98d95eb0cc95232b7bd2a320c9817708be62

    SHA512

    913f5746cc417e6010661a1d03ea59605e438c440b6db9c9775cc92bbf78ca61f5ab39f5cbcee2c0fcc684b941bacab8ea99ed24293212ff0065b8a69d63ffc2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
    Filesize

    1024KB

    MD5

    0c0d768bddef5ca86a8f6e9e1b21ba79

    SHA1

    31f2f66a30f45e06f38d39593ee953dfb856eccb

    SHA256

    ae563c18c0c0a5bdc1d01316928debbca27747c44d624f69572c355290c47f7d

    SHA512

    a77dc89e45dc65d61581357e30956cf6c25f41ea935f796da83eb6e9207af0b40daa815e02916a093c887805a74a1742d10af60bba7e0590e824e86f49662cee

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
    Filesize

    24B

    MD5

    ae6fbded57f9f7d048b95468ddee47ca

    SHA1

    c4473ea845be2fb5d28a61efd72f19d74d5fc82e

    SHA256

    d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

    SHA512

    f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    6397c44af5eea6fe5f43655f95bb2c8e

    SHA1

    fa55537216c68c5b8bfa42dad4ac9980dd58b04e

    SHA256

    6877162c9fc0bcaacad4baef3416fdcdb39a2228c2c86986e1abb77c65395549

    SHA512

    ae1b5c361d6b57cb273921bfb7d914a99b62303ac6591861aa53af08216173e2b7a460fef12c0e314b9ce971b1cf74a2815f0be4e3213450b3ae3869b3ccecf4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    f6cb6893bb08ab45c4ada11c455f9987

    SHA1

    857173c2e0328af03ae670997da7adab2dd4e82d

    SHA256

    409703f023b83ffcebfe2b558d79fcaf3624eefbfa0f8ba6120bcb4e59b223f4

    SHA512

    3e845830f74d5df8ef7afa8b0ece53fbc537e7369f5d2737c9cf654743acb9f086d3a65cc3580c1e18567979943ccadde77fc3d69de152151b6a21b9839ebff6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    Filesize

    7KB

    MD5

    1b73f837420eeaf4f21f295433da8277

    SHA1

    4ec6c3159b51c68766bedce11f445226de10cfe2

    SHA256

    8b1ef0f318f0f17bebc44d742fbd679af65786c39d20cf60eae20a6be32567c5

    SHA512

    f8fcbd78fdb69b416019dd56d411e78038b1ba2c7beed1c5220f28e4b6c64479d97c2cb31a690738bfb77fb8779e6bc54bf9f82d26161b8cd263a66b30329254

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GO5H5QJ1\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    a1840e02c5aad639e5c66b533419b697

    SHA1

    780c0114b3770a717822721d3564b54b024745a9

    SHA256

    549e4014119b6395576ef0ea25d1c777e6f96ef971bc125e654d63982cecddbe

    SHA512

    2fecd05d09f0eded5cd439afd7c0085aa0d40f3111cee16ec405c3bb36bcbeb606bed05636b8545449b5f65f947e9aadf9d57f2bc526cb511959db5871c8d6dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\2616C2D92616C2D9.bmp
    Filesize

    2.6MB

    MD5

    993cc909a89f0fb7fe90acc3703c2105

    SHA1

    f422cdcb426718b235a19080b0daf71c9b448768

    SHA256

    4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8

    SHA512

    5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

    Download Submit

  • memory/2216-87-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-95-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-35-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-36-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-37-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-40-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-46-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-42-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-47-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-50-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-52-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-56-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-57-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-61-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-62-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-66-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-71-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-67-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-72-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-75-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-80-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-77-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-82-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-83-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-84-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-85-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-86-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-11-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-88-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-89-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-90-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-91-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-92-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-93-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-94-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-14-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-96-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-97-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-98-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-101-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-103-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-107-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-108-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-110-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-113-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-117-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-118-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-121-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-123-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-124-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-125-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-130-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-128-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-133-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-135-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-138-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-10-0x0000000000400000-0x000000000060B000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2216-6-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-5-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-4-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-3-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-2-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-1-0x0000000000A30000-0x0000000000AFE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/2216-0-0x0000000000400000-0x000000000060B000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2216-143-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-145-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-140-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-149-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2216-150-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download