Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3Scans46.scr
windows7-x64
10Scans46.scr
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/04/2024, 15:59
Static task
static1
Behavioral task
behavioral1
Sample
Scans46.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Scans46.scr
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
Uninstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Uninstall.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
General
-
Target
Scans46.scr
-
Size
904KB
-
MD5
b5cea1631da405d27fd932f6c0ee485d
-
SHA1
2e94efa7cfc5ec145f60686b939a43462e1a9cc5
-
SHA256
35b52d3ea2a913a3ba0b9b306c911e4804b12b1c61fc563ecf04a9e0903979b9
-
SHA512
7b03bab5df4839f08bd51223f38a37a7ed04a1167608db8bf4824c03b9d694196201d0ada3572fc340bdbc2b0b576cedc25eace6d8896f564ca1fb0f630b8d22
-
SSDEEP
24576:gb/Kqq2Bxvyw+vHnc+mkf0EkgINAiEHw+caL8c4cxAFq6LCaD8kHo:lqqbFvNmksEMNmtL8hVLCk8kHo
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Loads dropped DLL 1 IoCs
pid Process 1460 Scans46.scr -
resource yara_rule behavioral1/memory/1448-7-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-9-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-10-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-11-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-8-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-12-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-14-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-16-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-13-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-19-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-20-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-21-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-22-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-23-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-26-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-27-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-28-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-29-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-30-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-31-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-32-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-33-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1448-34-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" Scans46.scr -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1460 set thread context of 1448 1460 Scans46.scr 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1448 Scans46.scr 1448 Scans46.scr -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1460 Scans46.scr -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1460 wrote to memory of 1448 1460 Scans46.scr 28 PID 1460 wrote to memory of 1448 1460 Scans46.scr 28 PID 1460 wrote to memory of 1448 1460 Scans46.scr 28 PID 1460 wrote to memory of 1448 1460 Scans46.scr 28 PID 1460 wrote to memory of 1448 1460 Scans46.scr 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scans46.scr"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\Scans46.scr"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD555a26d7800446f1373056064c64c3ce8
SHA180256857e9a0a9c8897923b717f3435295a76002
SHA256904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA51204b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b