Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

02e8c7af37...14.exe

windows10-1703-x64

10

02e8c7af37...14.exe

windows7-x64

10

02e8c7af37...14.exe

windows10-1703-x64

10

02e8c7af37...14.exe

windows10-2004-x64

10

02e8c7af37...14.exe

windows11-21h2-x64

10

Resubmissions

17/04/2024, 15:10 UTC

240417-skjktade45 10

17/04/2024, 15:10 UTC

240417-skhzaade44 10

17/04/2024, 15:10 UTC

240417-skhcrafa4s 10

17/04/2024, 15:10 UTC

240417-skgq8ade42 10

17/04/2024, 15:10 UTC

240417-skgffsde39 10

15/04/2024, 12:57 UTC

240415-p6157shb6w 10

15/04/2024, 12:56 UTC

240415-p6n6mshb5y 10

15/04/2024, 12:56 UTC

240415-p6ft9seh37 10

15/04/2024, 12:56 UTC

240415-p6exzaeh36 10

15/04/2024, 12:56 UTC

240415-p6d1nseh34 10

Analysis

  • max time kernel
    293s
  • max time network
    286s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 15:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02e8c7af3724ff535da627197920ad14.exe

  • Size

    1.2MB

  • MD5

    02e8c7af3724ff535da627197920ad14

  • SHA1

    794bd6f52a9673e1146321fa2545c580858c0d5f

  • SHA256

    ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c

  • SHA512

    8a8710ffced04c30f5c43c71ebcbcf56f7b096836f67d1a847db4a8df4f39e291f3e7119f45f03fa1ca0abd0021f81abd31bb775fa22fe2340c1cf24f19f2555

  • SSDEEP

    24576:XHtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY0Dyk:XHtV7GwBSTc8An/4YFk

Score
10/10
troldeshdiscoverypersistenceransomwaretrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • UPX packed file 36 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe
    "C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    PID:116

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    169.249.36.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    169.249.36.23.in-addr.arpa
    IN PTR
    Response
    169.249.36.23.in-addr.arpa
    IN PTR
    a23-36-249-169deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.24.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.24.18.2.in-addr.arpa
    IN PTR
    Response
    18.24.18.2.in-addr.arpa
    IN PTR
    a2-18-24-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    9.139.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.139.73.23.in-addr.arpa
    IN PTR
    Response
    9.139.73.23.in-addr.arpa
    IN PTR
    a23-73-139-9deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.211.222.173.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.211.222.173.in-addr.arpa
    IN PTR
    Response
    107.211.222.173.in-addr.arpa
    IN PTR
    a173-222-211-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    244.244.23.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    244.244.23.193.in-addr.arpa
    IN PTR
    Response
    244.244.23.193.in-addr.arpa
    IN PTR
    dannenbergtorauthde
  • flag-us
    DNS
    90.16.208.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.16.208.104.in-addr.arpa
    IN PTR
    Response
  • 127.0.0.1:49544
    02e8c7af3724ff535da627197920ad14.exe
  • 128.31.0.39:9101
    02e8c7af3724ff535da627197920ad14.exe
    260 B
     200 B
     5
    5
  • 154.35.32.5:443
    02e8c7af3724ff535da627197920ad14.exe
    260 B
     5
  • 193.23.244.244:443
    www.ywb6ea5s7aqiyui.com
    tls
    02e8c7af3724ff535da627197920ad14.exe
    433 B
     132 B
     5
    3
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    169.249.36.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    169.249.36.23.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    18.24.18.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    18.24.18.2.in-addr.arpa

  • 8.8.8.8:53
    9.139.73.23.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    9.139.73.23.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    107.211.222.173.in-addr.arpa
    dns
    74 B
     141 B
     1
    1

    DNS Request

    107.211.222.173.in-addr.arpa

  • 8.8.8.8:53
    244.244.23.193.in-addr.arpa
    dns
    73 B
     108 B
     1
    1

    DNS Request

    244.244.23.193.in-addr.arpa

  • 8.8.8.8:53
    90.16.208.104.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    90.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/116-0-0x00000000022D0000-0x00000000023A5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/116-1-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-2-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-3-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-4-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-5-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-8-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-11-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-12-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-13-0x00000000022D0000-0x00000000023A5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/116-14-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-15-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-16-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-17-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-18-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-21-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-22-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-23-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-24-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-25-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-26-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-27-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-28-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-29-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-30-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-31-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-32-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-33-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-34-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-35-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-36-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-37-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-38-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-39-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-40-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-41-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-42-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/116-43-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.