Overview

overview

10

Static

static

7

c4a48fbe5d...56.exe

windows10-1703-x64

10

c4a48fbe5d...56.exe

windows7-x64

10

c4a48fbe5d...56.exe

windows10-1703-x64

10

c4a48fbe5d...56.exe

windows10-2004-x64

10

c4a48fbe5d...56.exe

windows11-21h2-x64

10

Resubmissions

17-04-2024 12:14

240417-pesdzsfh4y 10

17-04-2024 12:14

240417-persfsfh4x 10

17-04-2024 12:14

240417-peqv6aec97 10

17-04-2024 12:14

240417-pedktsfh3z 10

17-04-2024 12:14

240417-peczasec87 10

17-04-2024 06:32

240417-ha37csfh67 10

Analysis

  • max time kernel
    1179s
  • max time network
    1042s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-04-2024 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

  • Size

    1.1MB

  • MD5

    20cba77eaae04ca6623cbbe03f9a81d8

  • SHA1

    fd989d3ba9ab0534f48b7cb1d11036a4ed08e431

  • SHA256

    c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856

  • SHA512

    e102e1902d224730fccce9cefc8d9c92471a35a49e64718d2dacd183d629fbc388fd6c6ae3fa5c59115cef061106459b767bec21628339bd712c291ea60a86f9

  • SSDEEP

    24576:VVimLZikdvnYgTcH2JsjaCtxl7j7XFv+RC7WwQOvu+s:VVimLZiSfHJ8aCtxl7nVvwCa8uz

Score
10/10
troldeshpersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
    "C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:2996
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2152
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe List Shadows
      2⤵
      • Interacts with shadow copies
      PID:4048
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:428
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:32
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\System32\xfs
    Filesize

    224KB

    MD5

    0028ba9c18c1419f848f48720521db19

    SHA1

    18c4a73df6cfe7397734b9766d9bfe5f19759ffe

    SHA256

    b4403b07ff3986dbe6e699f17359cabcda358968a2e73f179dcbe6392aa40d63

    SHA512

    5badd57b4e8ad6dcd55cd0c425c3e3951ce87fb5bd13a5c29c7e014091268994314ee72cc3e05077245ee9e7dd2950e1d3f8d2c3f6e41a845c5596ed9616395e

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MOQY2KJ2\microsoft.windows[1].xml
    Filesize

    97B

    MD5

    004dfcb17bf030b4aa49d5bc59c9609b

    SHA1

    7b31341cc06311b59fdfb1bc3ef6c02c2e051f9d

    SHA256

    cf23e7de15e06036f8a300e09077c92051b503a72698c6ec5f1caa9ab2c9cae8

    SHA512

    2145cc4ff75bc714908360dbe08c55ff3b776ab385a68fbae5e0c32dafbb3a7f3a60b611fc5869ebc6ae5cf3de7c0fde642d6ab5d2b5115ae5f050cd6387e072

    Download Submit

  • C:\Users\Admin\AppData\Roaming\1374C1DB1374C1DB.bmp
    Filesize

    2.6MB

    MD5

    993cc909a89f0fb7fe90acc3703c2105

    SHA1

    f422cdcb426718b235a19080b0daf71c9b448768

    SHA256

    4aa6cdb9ce95410f85a05b21967d224cfd49cf8c7fa18d9998304a16d4e4b5d8

    SHA512

    5ec562b1e6f91f8774bf8fd00a6a413b4b4b5be2ede17ff9c417fce7097b7d313b136740e525c19a77f220e80fb0e92f8f4d1866ea185c9fc6755c3b41aa9762

    Download Submit

  • memory/1164-0-0x0000000000400000-0x000000000060B000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1164-1-0x0000000002300000-0x00000000023CE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/1164-2-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-3-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-4-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-5-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-6-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-10-0x0000000000400000-0x000000000060B000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1164-11-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-14-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-35-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-36-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-37-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-42-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-41-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-46-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-50-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-47-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-52-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-56-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-57-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-62-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-61-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-64-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-69-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-67-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-72-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-76-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-82-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-80-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-77-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-83-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-86-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-85-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-87-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-88-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-84-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-89-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-90-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-93-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-97-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-98-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-96-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-95-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-94-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-92-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-91-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-103-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-113-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-111-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-108-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-105-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-101-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-115-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-120-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-118-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-123-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-124-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-130-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-128-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-135-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-133-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-125-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-143-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-145-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-150-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-147-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-140-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1164-138-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download