troldesh | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NoMoreRansom[.]exe

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NoMoreRansom.exe

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1116	NoMoreRansom.exe
2500	NoMoreRansom.exe
3356	Birele.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1116-176-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1116-177-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1116-178-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1116-181-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1116-179-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1116-203-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1116-229-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1116-230-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2500-250-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2500-252-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1116-253-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2500-254-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1116-258-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/files/0x0007000000023490-278.dat	upx
behavioral1/memory/3356-297-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/3356-299-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1116-312-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3356-328-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1116-327-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3356-330-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1116-329-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
58	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2280	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
524	chrome.exe
524	chrome.exe
1116	NoMoreRansom.exe
1116	NoMoreRansom.exe
1116	NoMoreRansom.exe
1116	NoMoreRansom.exe
2500	NoMoreRansom.exe
2500	NoMoreRansom.exe
2500	NoMoreRansom.exe
2500	NoMoreRansom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
524	chrome.exe
524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe
Token: SeShutdownPrivilege	524	chrome.exe
Token: SeCreatePagefilePrivilege	524	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe
524	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 2396	524	chrome.exe	81
PID 524 wrote to memory of 2396	524	chrome.exe	81
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 384	524	chrome.exe	84
PID 524 wrote to memory of 4796	524	chrome.exe	85
PID 524 wrote to memory of 4796	524	chrome.exe	85
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86
PID 524 wrote to memory of 1376	524	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NoMoreRansom.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa2766ab58,0x7ffa2766ab68,0x7ffa2766ab78
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:2
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4988 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5024 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4424 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4500 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:2652
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4348 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2372 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2644 --field-trial-handle=1840,i,11561006887675124038,15410359013166838533,131072 /prefetch:8
  2⤵
  PID:1868
- C:\Users\Admin\Downloads\Birele.exe
  "C:\Users\Admin\Downloads\Birele.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:2280

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2652

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6a42bbb7aba8a46a983338e702b74f30

SHA1
0de518e3571e3ab9a66a9b0cd2633f7eedfd4721

SHA256
69a4614caa3c5c5e44974ba120422b0a9af9f50115794d7b772b7a9c5bbc56bc

SHA512
54b232f1f49a559170ac6221a6f80b79a03f736a8b1fa421c70e255be40c4a9594bc0a67ec6e43ca357667ad6298eb9a9d0fc9a08ddf20d45cb9055a9ac5f7f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6d0f988f777e00dc6373cf6a37a9f31f

SHA1
aee0a49b4dbd93fb67008bb3a925e63a760c0831

SHA256
bf879f1d8f168ba8990885f2ef15c48b0f78cbea8bfd9cddf33336ab397a14fe

SHA512
1cf0d1e94eecffbfd515f058799a27e6bacb97483deb53c3cacc329327b5a748aa4067d1db005e6b68724a0232cc8de07ec2e6cb6986af8d8876e8b13357bf6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5595cfc4ce0987b2d828073b9d65d78c

SHA1
edfe4f5b71a6d68d348b11dcea41edce9b462bfc

SHA256
54b716e725cb94fab7ed9efdd3f3ddd46b1699c8eac922f58ef56ab39b9d967c

SHA512
09cea80bdb6699080c3476eaa491255b2593f4f15b387564b9336ef5d6825270dc75c596339f74d95baa27ed3711e37146efb2ff45e0001e30a56a1b805a07b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4279919df8de52bb2cc1181b8518f3b7

SHA1
7df9977dbc846dfb89a02313c9d1cfc9c8d73c36

SHA256
0a4dcf71e577e12d3f27d8910c67d15e377b13af42aa05d12905408f834eb16f

SHA512
029830082052664e9fe0e91692a3ec1fa121e6f9fe6a95de12f771c3ccb14cd2d4799b085dc10021d8ca9c8a262515c43b46cf5e4cd0a0cbcffd4a7cd46fe2a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
35aadbdfcc6351b9d951a524ba7517ba

SHA1
c5644686b49d09c18f722f68e8419892df5fcbac

SHA256
1f892f57f74742db10ddd59f9ebde706c6d71150e57982e76140093114f7f8f4

SHA512
d6f8d9d6d59b441cc608045fc02c8339a915c89c19f54f627472b351692757285536eaa4719e044769efe0653390f2176c850d9fc94a2a873e42bddc55f78df2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5d6b982c72c057264b10600d345913d2

SHA1
4ce6b9640e053eb5b2e936168759a900b4d90af5

SHA256
a4dbca5f7de391dffded48572eb97d293e22e2ec1e31d48d86c3d693e852c709

SHA512
7090d940b8a8ca0fab27ecea07c4377f7cb319451378aae61743c73d25aec9908781bd47ab38d1aa64fc8f134fe1f9aeeffabb6b137b34e0d392ac2e99671a5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2e321da0085129632c9be736ad73c229

SHA1
7ff8d67e3fbd55a72d9480f3f85f89b17ecbc41f

SHA256
560304582ccf2c2963f3a4b1c3a67af7dc95763138f0d9c4cf33a0d3b2455c7c

SHA512
16144d614bbf3eb2bdb5909096f83d092e7d5064ad7add11951394d5466c36f98e352ae814730c475719402e02d2280277e49dcaac78a50a5fb9d6dd4bd37a10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f9b6dc18a7361ff615415cdb82fbe70d

SHA1
4624a38bbceb16a9bfb5e65ee5e32c97dfedb8e0

SHA256
2a72a74d1fc9f937e263daac583c325ed0ca61db863b83419355de41cb6e3bbb

SHA512
7d21fbde756a18a4f5fb73cca5196254b7ef8da15e33b9fb87c2e61460413b7a84a30dd059e9e24bf6788b993469ac7b594dce25bcf319da7cc3cbae9cbaa567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
208fc7fd42c17a45204fdd1f520f49e1

SHA1
19c40189c2356cb7b3abe225d3dadadcdedefd55

SHA256
5846196288ca4611b8e20997a58c9a6d4b3ddb38921bbe9c8c83c7c6278b3cfd

SHA512
d1626959d4994752e9cdc65aa81f82c5bafac8a5605fdab6263a8eb62396ca2877e9402e0831c3ee08daef095094a99d07052966781e9f4dee3a5e138790893e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
b80a01e47a47537dcdc86aaacdeab519

SHA1
2251dd60373fb754a50c051200871ab641006c5c

SHA256
a70abea8c1093ca5623038204f4a1a5ef053928aec317dc9ae01fbbf76746c69

SHA512
63c65f054609caac9f7e1dc2b34be9ff696f7e6ec478e8eea965ee52e56b6a83da8e7ae7c36902e4a3f570de61935ef6b4c69c869b8389b3e094cdba72fe4a9e

Download Submit
C:\Users\Admin\Downloads\Birele.exe

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
memory/1116-179-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-253-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-229-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-230-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-181-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-329-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-203-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-312-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-327-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-258-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-178-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-175-0x0000000002200000-0x00000000022CE000-memory.dmp

Filesize
824KB

Download
memory/1116-176-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1116-177-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2500-252-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2500-254-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2500-250-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3356-299-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3356-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3356-328-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3356-330-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download