troldesh | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n[.]exe

Resubmissions

07-05-2024 16:28

240507-tyx6ssha59 10

07-05-2024 16:24

240507-twmx2sed5t 10

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
07-05-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Downloads MZ/PE file
Drops startup file 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bfbf37a0.exe explorer.exe
Executes dropped EXE 2 IoCs

Processes:

NoMoreRansom.exeCryptoWall.exe

pid process

5096 NoMoreRansom.exe
3948 CryptoWall.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bfbf37a0.exe	explorer.exe

pid	process
5096	NoMoreRansom.exe
3948	CryptoWall.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/5096-287-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-288-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-289-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-290-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-314-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-347-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-348-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-350-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-381-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-427-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-439-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral3/memory/5096-460-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeNoMoreRansom.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fbf37a = "C:\\bfbf37a0\\bfbf37a0.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\bfbf37a0 = "C:\\Users\\Admin\\AppData\\Roaming\\bfbf37a0.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fbf37a0 = "C:\\Users\\Admin\\AppData\\Roaming\\bfbf37a0.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\bfbf37a = "C:\\bfbf37a0\\bfbf37a0.exe"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
31 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip-addr.es
2 ip-addr.es
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
1	raw.githubusercontent.com
31	raw.githubusercontent.com

flow	ioc
42	ip-addr.es
2	ip-addr.es

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 4 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 197275.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 432799.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeNoMoreRansom.exemsedge.exemsedge.exe

pid	process
4064	msedge.exe
4064	msedge.exe
3976	msedge.exe
3976	msedge.exe
332	msedge.exe
332	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
4668	msedge.exe
4668	msedge.exe
4208	identity_helper.exe
4208	identity_helper.exe
2160	msedge.exe
2160	msedge.exe
2040	msedge.exe
2040	msedge.exe
5096	NoMoreRansom.exe
5096	NoMoreRansom.exe
5096	NoMoreRansom.exe
5096	NoMoreRansom.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
244	msedge.exe
2036	msedge.exe
2036	msedge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

3948 CryptoWall.exe
3100 explorer.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

332 msedge.exe
332 msedge.exe
332 msedge.exe
332 msedge.exe
332 msedge.exe
332 msedge.exe
332 msedge.exe
332 msedge.exe

pid	process
3948	CryptoWall.exe
3100	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

msedge.exe

pid	process
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe
332	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 332 wrote to memory of 3976	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 3976	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4228	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4064	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 4064	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe
PID 332 wrote to memory of 1080	332	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b2873cb8,0x7ff9b2873cc8,0x7ff9b2873cd8
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
2⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
2⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
2⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
2⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6040 /prefetch:8
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
2⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6528 /prefetch:8
2⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4300 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,3482653595089708870,18431789071522924130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6636 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:3948

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
PID:3100

C:\Windows\SysWOW64\svchost.exe
-k netsvcs
4⤵
PID:3096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\bd74eb92-80db-4ace-835b-b46cac31796f.dmp
Filesize
3.4MB

MD5
ac2d38210acd2eaf7881e99468fc005f

SHA1
bea0b04f506c860e1d03df4ae6e6063496821328

SHA256
925ab54cd84b12eca0cea8cb889b08122a35040d761ed5af50607fa2b64b90a3

SHA512
ed5efcb580c10fcceaa3c70900ac10efc608e1eabd779249dfb57b2d3ba7c5a18ab1682d54600055b25dc7e23f6389fe10ebc635b38879aa1f7bc08cbc5d1745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6e498afe43878690d3c18fab2dd375a5

SHA1
b53f3ccbfe03a300e6b76a7c453bacb8ca9e13bd

SHA256
beb39e9a246495e9dd2971224d23c511b565a72a6f02315c9f9bf1dcfae7df78

SHA512
3bf8a2dd797e7f41377267ad26bde717b5b3839b835fe7b196e748fec775ffd39346dba154bb5d8bda4e6568133daaa7fefa3a0d2a05e035c7210bb3c60041a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b8b53ef336be1e3589ad68ef93bbe3a7

SHA1
dec5c310225cab7d871fe036a6ed0e7fc323cf56

SHA256
fe5c2fb328310d7621d8f5af5af142c9ce10c80f127c4ab63171738ad34749e1

SHA512
a9081a5a909d9608adfc2177d304950b700b654e397cf648ed90ecac8ac44b860b2cf55a6d65e4dfa84ef79811543abf7cb7f6368fd3914e138dfdd7a9c09537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5b4058c1-7843-452b-ad98-fccc4578159e.tmp
Filesize
5KB

MD5
55c00a563b7c583b048f51e88b3f42e2

SHA1
869e4ce6a06b6fc40378926efeea48e9375e669a

SHA256
12eec4b5e117d69818615fd6a1cea7ab8d18e595cff9789ed7c570a2b890ebe9

SHA512
d8b12fc54c426a4024b76aafcaac67e13f1d0334565666f59622e1ee215199349daacf3152abe5de5eb90a1830a024d29e93611476211383bec21b6bb59cd7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
809ec37828e468a83a811003dfc822ce

SHA1
48574123c58941816aff8c24bb102f4af311aeac

SHA256
3d669c05c5822b26bc9a11cf8ccb3b3fc17a8121eb918ae1e480dbedfacc1fe9

SHA512
d10983df9805c4a52b3dc8b808b6042fac0a4d3a60a8b6b4956021e5db7fe542e0e9da42d16bd70112d6476529bbf911269c640b34681e36ea016d66cf7569b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
d01be2bc277307bf760669a4f350a984

SHA1
64859376f5718ae3b4e6979a9f029ceaebf91fe4

SHA256
de4ea8f1d2393892282b2e5ed049c0817630e9350e541f75ac9e9dc832967d41

SHA512
a901a5b217e43b9553b2dd6edcafea6a97ad56ea0e94726e578e167409fb8218d7cd5b029788186a5ceacc2ea706f37a6d498ed6915d40e25e662501d02df94f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3c0e5496f49a6dc6a6065e65eddc485d

SHA1
4cd023d56e52a7200440f605fe62e75a1ab3ddb7

SHA256
b77aa17cba7399cf30357d281f42623cc0e048612d0882484ec9d49be834f3fd

SHA512
5a65a57391660d66d97577e43b4499ea1f5472d9fc68b25eeb0dcb0c594137a586bc06530635295f18d14bbea8586bd86a67824c988ed974e95043131ed46a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8cb962453b9a6b16bda3515c3b1a46ab

SHA1
4c9c8826a630e4c774b93b512d4e5aa6a9405543

SHA256
4a7634e06d189c11c297630c1cd1470bea693e85ea2529876f21ae3cd8838b7d

SHA512
700d97e482f29c5d183a2cb21d52a64e395d11653a96b3d60db2321a14e402da3836bba45fc610606bbc1fae1c131929020b35f0ffc2a6f0359eba2e3f4852d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
61070203272208b2759a4364c5ffb65f

SHA1
28fc998fc4085dd33360711d53e07bc1618bebb8

SHA256
1f2091b6b3d047dd006c37f30b3a535a203e325a3b011dd06417e34a137a73b0

SHA512
86dc77969db58ee38ccbbb815ed16d22393b373411a023170b99d6e96e3e930960e25e83d253809963a8bba218a417aacaf05e3552e7e43bbe05dfc4598f9100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b328ec23c6fd293974aaa411e3913f48

SHA1
6fa83494c2ffce3f25fe834853776c631a959613

SHA256
6b538c79ad2bf3ef72c10986a4d9cef98e2632669da6cf506a3e6b69c71c9fd4

SHA512
a0dd472051fb207007e94ffbe1f9e826df57c7ecebe3a6d2eeb98c2b1f7b5ddbb6f76b08b6dbcbd6834300f1a27290a3a2ca33f32edf7d750b77bad318505851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a9c4c340e6a4c964dd6dd4ed19124e87

SHA1
6238dc32773c0d766ce873b82a91a4e2ed8e2ac4

SHA256
e2884b5137363da102a471e861da5b13b6deb825005cc4659768be76b223fe32

SHA512
c58f81f669c8fb3eb4e622d730d9c17845c3cc08b86bf1bc19625d32e8e0ba3b7fcd95e477d1d1888c75341c0fa56df0a2e3744bcd1cc19d2d78271458bd3db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3bf9ba6572f82f397765dc5ca9854296

SHA1
5c9e90a92980d80f9d24358e97afbf123adb41b5

SHA256
1c73c08a8f8733255081e536e5255b488f3bb8c41d15f1ac499f9e9358ee99bb

SHA512
c9e8855877a88d139217f47c7954c2761590499148efce2e0374b179f2257b3e926a847d1f197683d875fee1e3df99ae7f1888f667e03e4c33fc1ef4081a52df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f0ab7b8565b06c17ed0a23305eed718c

SHA1
38e0a50a547e82a709af1a7608cf6b65bc4d626e

SHA256
bf302caf286753e881d569821998505d6b9670b874e02d8655642b19b2c0ace8

SHA512
0190b72cf3a3124d9e48f16962bb4ddddd198d4e8ec7fca22a67e674e0e0302a10ac269c08d27d7c49032ed2c913528576d5682b5ba7eea0e05fdaca0b181321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583989.TMP
Filesize
874B

MD5
cd24866d9e31ebd1834bd86897ed93e8

SHA1
8b5131948f2095775d8c97cf809940467055194b

SHA256
f7bf583c7aa9b1c870565c36baac71c507da3334d01c64b39ab06626fc1d5e21

SHA512
f971b919b7eb67e937e9da144b8084a3b03a78c4d022b08fafb51885544eafb4311ac67295ecffc30f7f5a2ee490120c8b03e1ffad9a626457fb4246a1d2a63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
dc5f1fc96ccc47212267f1a276e4d724

SHA1
048d3cbb2671e6accff0396de47056dd2acdf0d9

SHA256
ba5693ace02c7c561e755cfe59ffa29ac1bbe63666ea24e6560174979bb68ac9

SHA512
0809122fb01e728fed33803b0437ffab3c13aa5d9339e62e7fcf20a99905161433d8e611ba52433324c89865e9582bcf4979094437fbb5d39651b27651d42896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9d380f362c0aa7f87e5cddec13a915d7

SHA1
8d6accf21559f63771ec2c7be9b3381920ca75dd

SHA256
9e8fbf91536ff92a1096c78f1943c245e572d49e4d066b98521d0b75f2b3a04d

SHA512
2ead4e28d9febe69da6bac2e0dfd822d230c8e48c25befe70cb3d0f3699b67aba20aa40461865d3a6806811de19284f631dbf88afb80d94d9eee8f8e5a6e568f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
eff8df9a1c6250e6237324c5a6ed1223

SHA1
356a3db7bc1da30ca0c01134108bc8ff3fb3dd1a

SHA256
8f99f20efaa12c17296426ec4d979fcf23ca34aebd915a775ad68283b848088d

SHA512
77e4c78a9ae3386e35d60a8b20558d6fb9ca20b2d75e3d689aaf9887184195db9431f714630606d5436284dd7ae22159442e205b2563d441e183d52ac31e58e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
84fd7fa80235386ae155ee3d6a513ee5

SHA1
a01196b0b6cead112690650a92a410b46cb1d13d

SHA256
822bce546ef622a0456d10c187a9726b378199561397dc982afc7e199c3d06b7

SHA512
38f02dee60607ce755b8402b15688cf8659e2013b0470db6f230a5a49a6fab612b865a34461e02aa8d5a6099bb22dd8d9d40cf4c1d7de08ee9c61d68f8ca5afa

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 197275.crdownload
Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 432799.crdownload
Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
\??\pipe\LOCAL\crashpad_332_WXAGNPICQCPYSEAH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3096-413-0x0000000000D40000-0x0000000000D65000-memory.dmp

Filesize
148KB

Download
memory/3100-409-0x0000000000F50000-0x0000000000F75000-memory.dmp

Filesize
148KB

Download
memory/3100-414-0x0000000000F50000-0x0000000000F75000-memory.dmp

Filesize
148KB

Download
memory/5096-289-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-350-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-381-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-348-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-347-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-314-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-290-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-288-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-427-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-439-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-287-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5096-460-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download