Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

02e8c7af37...14.exe

windows10-1703-x64

10

02e8c7af37...14.exe

windows7-x64

10

02e8c7af37...14.exe

windows10-1703-x64

10

02e8c7af37...14.exe

windows10-2004-x64

10

02e8c7af37...14.exe

windows11-21h2-x64

10

Resubmissions

17/04/2024, 15:10 UTC

240417-skjktade45 10

17/04/2024, 15:10 UTC

240417-skhzaade44 10

17/04/2024, 15:10 UTC

240417-skhcrafa4s 10

17/04/2024, 15:10 UTC

240417-skgq8ade42 10

17/04/2024, 15:10 UTC

240417-skgffsde39 10

15/04/2024, 12:57 UTC

240415-p6157shb6w 10

15/04/2024, 12:56 UTC

240415-p6n6mshb5y 10

15/04/2024, 12:56 UTC

240415-p6ft9seh37 10

15/04/2024, 12:56 UTC

240415-p6exzaeh36 10

15/04/2024, 12:56 UTC

240415-p6d1nseh34 10

Analysis

  • max time kernel
    342s
  • max time network
    342s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/04/2024, 15:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02e8c7af3724ff535da627197920ad14.exe

  • Size

    1.2MB

  • MD5

    02e8c7af3724ff535da627197920ad14

  • SHA1

    794bd6f52a9673e1146321fa2545c580858c0d5f

  • SHA256

    ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c

  • SHA512

    8a8710ffced04c30f5c43c71ebcbcf56f7b096836f67d1a847db4a8df4f39e291f3e7119f45f03fa1ca0abd0021f81abd31bb775fa22fe2340c1cf24f19f2555

  • SSDEEP

    24576:XHtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY0Dyk:XHtV7GwBSTc8An/4YFk

Score
10/10
troldeshdiscoverypersistenceransomwarespywarestealertrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 36 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe
    "C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    PID:2064

Network

  • flag-us
    DNS
    189.40.188.131.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    189.40.188.131.in-addr.arpa
    IN PTR
    Response
    189.40.188.131.in-addr.arpa
    IN PTR
    despari informatik uni-erlangende
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.243.31
  • flag-us
    DNS
    self.events.data.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdcus14.centralus.cloudapp.azure.com
    onedscolprdcus14.centralus.cloudapp.azure.com
    IN A
    104.208.16.90
  • flag-us
    DNS
    90.16.208.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    90.16.208.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ctldl.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    wu-bg-shim.trafficmanager.net
    wu-bg-shim.trafficmanager.net
    IN CNAME
    windowsupdatebg.s.llnwi.net
    windowsupdatebg.s.llnwi.net
    IN A
    87.248.205.0
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    ctldl.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    wu-bg-shim.trafficmanager.net
    wu-bg-shim.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.18.24.25
    a767.dspw65.akamai.net
    IN A
    2.18.24.18
  • flag-us
    DNS
    ctldl.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
  • flag-us
    DNS
    25.24.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.24.18.2.in-addr.arpa
    IN PTR
    Response
    25.24.18.2.in-addr.arpa
    IN PTR
    a2-18-24-25deploystaticakamaitechnologiescom
  • 127.0.0.1:49738
    02e8c7af3724ff535da627197920ad14.exe
  • 131.188.40.189:443
    www.lsz4pwfagbaz32dpuanz2i.com
    tls
    02e8c7af3724ff535da627197920ad14.exe
    3.1kB
     6.4kB
     13
    13
  • 76.73.17.194:9090
    02e8c7af3724ff535da627197920ad14.exe
    260 B
     5
  • 8.8.8.8:53
    189.40.188.131.in-addr.arpa
    dns
    641 B
     1.2kB
     9
    8

    DNS Request

    189.40.188.131.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.243.31

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    104.208.16.90

    DNS Request

    90.16.208.104.in-addr.arpa

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    87.248.205.0

    DNS Request

    0.205.248.87.in-addr.arpa

    DNS Request

    ctldl.windowsupdate.com

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.18.24.25
    2.18.24.18

  • 8.8.8.8:53
    25.24.18.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    25.24.18.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2064-0-0x00000000023F0000-0x00000000024C5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/2064-1-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-2-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-3-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-4-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-5-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-8-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-11-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-13-0x00000000023F0000-0x00000000024C5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/2064-14-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-15-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-16-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-17-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-18-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-21-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-22-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-23-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-24-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-25-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-26-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-27-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-28-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-29-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-30-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-31-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-32-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-33-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-34-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-35-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-36-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-37-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-38-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-39-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-40-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-41-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-42-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-43-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2064-44-0x0000000000400000-0x0000000000608000-memory.dmp

    Filesize

    2.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.