troldesh | hxxps://github[.]com/Endermanch/MalwareDatabase

max time kernel
83s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4496-247-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-248-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-249-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-250-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-251-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-278-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-402-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-403-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-404-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-427-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4496-491-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2704	vlc.exe
2780	vlc.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe
4496	[email protected]
4496	[email protected]
4496	[email protected]
4496	[email protected]
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2704	vlc.exe
2780	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe
Token: SeShutdownPrivilege	2636	chrome.exe
Token: SeCreatePagefilePrivilege	2636	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
2636	chrome.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	vlc.exe
2780	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2576	2636	chrome.exe	81
PID 2636 wrote to memory of 2576	2636	chrome.exe	81
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 3280	2636	chrome.exe	83
PID 2636 wrote to memory of 2124	2636	chrome.exe	84
PID 2636 wrote to memory of 2124	2636	chrome.exe	84
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85
PID 2636 wrote to memory of 1444	2636	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff5264cc40,0x7fff5264cc4c,0x7fff5264cc58
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,8103755897405283202,8146903578520075110,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,8103755897405283202,8146903578520075110,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1708,i,8103755897405283202,8146903578520075110,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1728 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,8103755897405283202,8146903578520075110,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,8103755897405283202,8146903578520075110,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,8103755897405283202,8146903578520075110,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4548,i,8103755897405283202,8146903578520075110,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:1620

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DebugStep.wmv"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SplitSync.m3u"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2c4dfde95c74432886a25bf100c78a01

SHA1
53d3b467e3d6e63699c315768b080a1075b67eb8

SHA256
17a0296f619bbb936ed4343ec861ce3e04639951c3d45c5abe6183ac0c57286b

SHA512
e07df79e250bdb563b00a1b2d5a2aa0f9447f32b3eb5b32941ab227a2e6e11b23f3d31a56f82e7abfdbc58e3fd9306ef290e0a3c6fe0b1738997ca4eb6ae1eb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
147b67227522a5a4b7648b463eb449c6

SHA1
98d8e2662e71ad35ab5f8ed5c28f2c62a322e16d

SHA256
a9850d2bf883101440dfd1e90d599d7e7368ef694588990ae54f5aec54916b96

SHA512
d6b3971287c52ce88e98db5f15b1366178e932cfce40ef1e5a7ebafd0d560ab13f31a8c8e353285b0d4733e52ef6dad75cf1bbb9e12c0dbcbe525ccaf2ec916b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\6d466df3-8bfc-43c0-a0f0-f7ec22bf29bc.tmp

Filesize
1KB

MD5
34060e522d6591c7a77a8fdd0731e329

SHA1
a1e04c5275f9175183c31f26774412c67b6e94b7

SHA256
21f72a747bf56977f3bb987ce6ccb87d3fc2af6ab1d655d6883edcd20850cbb6

SHA512
d251714c8d477f1decaa20e4b4f689f34a6a799f53628ff1bfbf72df766b500a60c1faa10aea052b6c61d151e0a936a8cce9767bd724a14926de1adf0582a498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
340418ee77c6d68e369463d33160aeb0

SHA1
c01372d79eda6f4814bf3a2633554d05370657ff

SHA256
7e37dbdb2b67d9fb1c56d83de47ccac9e0610b5b3ecb5e013fb3a75ef267b68f

SHA512
34c492294c54f6212f2f9ce87654cbec843a980ddd247f5e48b39b38eda2cb29c8f9603e0c2707fc7591a7e29c9c6d462adc915d6993da7c5730e50abfefc316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7684e895df7baf653d7957eee8aff135

SHA1
fa2b628d70d82f90e5f3d53980d488f3f8c37e49

SHA256
f583d06331f2c6f839fc820cffab4166a4fe25730195c2a081c64971317605bc

SHA512
036ea1ac1762c0caca859d6dab3eb6981e6a8c7a91ccaf9b7214d2e3e303557d79d62dcd836bff7a2299d64e904b5fccc947a87fc5f73921a41014be3b39f51a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7cefa71fff4d86010d85c09968ea7073

SHA1
3f34c090e373a2a9a3c9d968931bb71834210d4f

SHA256
0e54fec9a5396c9b7c5b576806303d15586180ad6db90f8191f119ff3403efa0

SHA512
a400e364ba5b18ab4a7004a1b532216c7c1cc69cc4d784ab9d0f492d51220a0047dc943c958b01733099538f32a9a136b5dae644b0a40c6e3431475abd1d5727

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
599ccb66fa2040c7cb58b67e580a86f5

SHA1
b2e566ba6e5e32139193502eed70bd54b444d6b6

SHA256
9fa2fc97c1f45a60059937dc1ea414b004caef3b400378527010980235947162

SHA512
934004f53c3694893689ad77861809773a023f23266e4aab81dac2fa50fd57a9f6c852a82bc9cdadde47b393dabfcc05d9f5e3605ce7e9f5b65c533d214ed9c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a6b93f67e2f26d9bb3934caf45fba556

SHA1
f982aec29e926b59e84a576f0f6d0eae1d723ccd

SHA256
7adaf7117b0c5b406ca50abacf2ae7e6124d1db543f6bebc3dd746dbbe13f8aa

SHA512
69c5a4343f783f0035fb277d4bd2f1c457c0e836ff76cbef196a760105ad0a141c3994c740d83a67e17a58010fcb76c862d9a6ab9556935f0b734799e0169f4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc01d59663f0468102743bd9276c25a4

SHA1
b3a38f8f350d231cc71a2172f1505a517a177c6a

SHA256
91bcbc93bcf7bc2dd678fa1abdfed0ccd90874084f96e9a5660dcd2f4b75f7c3

SHA512
6562b8f4e9be3cb5aa4b17b37e5cdb4ba5485bf0bfcd06b3bb6816d341ca5c796773e2c6d1af75351f97118e50fcbc9b81be4acfacf3495ada3cb36cb345eb9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
319b388adfa8b1518cb867e187c646da

SHA1
bcab17d2a38afe42481bc78e6da6019f373a8594

SHA256
aa887cad56f8a33228adabaf628dd64937932a19d617c447ef4a816c112d9d80

SHA512
7ff662e170987d0f0b410958eebff04c71abc22ed6b06386a5b55d4c987e7a97af8d8c12d088cda824ffb7eeffe81e2f20a6e2f0f8bd0fdc553e10ba424d38a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a10c74fa2eafa7d86f7a1f8bf11518c9

SHA1
3a0e3faa103b6ef37d807aa208c50fbfb6364256

SHA256
d7a98025da13865fc3ac146de7739d813f67b4b22040b02b053647be75ab2fad

SHA512
d6dfd809120743ef9af372e78f3eeb0ec9dcaf6a02a1657b956f471807066c9b8536cf9c4707cbaf5787af2ff07b9a639ce28d22b92354b05aa040f86d2a98a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
45f4bd1e15dd4b52e718364625831c71

SHA1
d547fcd3c0e2fef2f93d146514d23d5b543a68df

SHA256
e9e46e72d1abcd7127cd1d3694546ef739924b52043c98a12a42bea55bc7ca9a

SHA512
f9f5c9e82d7bfdaabd1bb274750760d146b47782ce0805fa85c33b919ae34d8353f0f76c04bb339d96890a85953a130145953c554fc3a9e586fe06ec4aac0c93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
4c7696f8d71a782bee3cfa5777f4a803

SHA1
7d2e83786fafbb64cea2b3796fc36fc20f439984

SHA256
f87e5b7abfb3c84751d695099582db93f4140f70cc6b753d6d9b733b0ed7539c

SHA512
d98b7ce8ee7c06a77946cbf6672681a56e076d0c993ab53da6f73532725c3b76bc185826f68a3ffd359bb4df6b1a46466e0beb7a8969513cd6556f86c973d87e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
529B

MD5
e6b88c0a71f73e12c6a0fb11d60d4cc6

SHA1
6d458b04a79facf1b8f6ea4027506f3de9be6f6b

SHA256
596c6c6e34db9af541b524d6cd0da48557ff7a725443b8628efdb9bc87ebdeb6

SHA512
d22d34cfe9aeaf60f8c074ad68e26fde9ec91f4292be0d436bc0ced9b0dbb7d69986368067a7592d7aec79b67ac8f6230b2a4314d38f00cd03757fe64eada381

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc.2780

Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip.crdownload

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
memory/1996-397-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/1996-400-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/1996-395-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/1996-388-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/1996-390-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/1996-389-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/1996-394-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/1996-396-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/1996-399-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/1996-398-0x00000209B9410000-0x00000209B9411000-memory.dmp

Filesize
4KB

Download
memory/2704-418-0x00007FFF59F00000-0x00007FFF59F34000-memory.dmp

Filesize
208KB

Download
memory/2704-420-0x00007FFF41D80000-0x00007FFF42E30000-memory.dmp

Filesize
16.7MB

Download
memory/2704-417-0x00007FF7A36A0000-0x00007FF7A3798000-memory.dmp

Filesize
992KB

Download
memory/2704-419-0x00007FFF43230000-0x00007FFF434E6000-memory.dmp

Filesize
2.7MB

Download
memory/2780-445-0x00007FFF52850000-0x00007FFF528B7000-memory.dmp

Filesize
412KB

Download
memory/2780-444-0x00007FFF528C0000-0x00007FFF528F0000-memory.dmp

Filesize
192KB

Download
memory/2780-486-0x00007FFF59F00000-0x00007FFF59F34000-memory.dmp

Filesize
208KB

Download
memory/2780-488-0x00007FFF42BA0000-0x00007FFF42CAE000-memory.dmp

Filesize
1.1MB

Download
memory/2780-485-0x00007FF7A36A0000-0x00007FF7A3798000-memory.dmp

Filesize
992KB

Download
memory/2780-487-0x00007FFF43230000-0x00007FFF434E6000-memory.dmp

Filesize
2.7MB

Download
memory/2780-452-0x00000260C6BC0000-0x00000260C842F000-memory.dmp

Filesize
24.4MB

Download
memory/2780-429-0x00007FFF59F00000-0x00007FFF59F34000-memory.dmp

Filesize
208KB

Download
memory/2780-431-0x00007FFF57990000-0x00007FFF579A8000-memory.dmp

Filesize
96KB

Download
memory/2780-432-0x00007FFF56610000-0x00007FFF56627000-memory.dmp

Filesize
92KB

Download
memory/2780-428-0x00007FF7A36A0000-0x00007FF7A3798000-memory.dmp

Filesize
992KB

Download
memory/2780-430-0x00007FFF43230000-0x00007FFF434E6000-memory.dmp

Filesize
2.7MB

Download
memory/2780-435-0x00007FFF55F20000-0x00007FFF55F61000-memory.dmp

Filesize
260KB

Download
memory/2780-433-0x00007FFF565F0000-0x00007FFF56601000-memory.dmp

Filesize
68KB

Download
memory/2780-434-0x00007FFF42E30000-0x00007FFF4303B000-memory.dmp

Filesize
2.0MB

Download
memory/2780-451-0x00007FFF52090000-0x00007FFF520A7000-memory.dmp

Filesize
92KB

Download
memory/2780-450-0x00007FFF42BA0000-0x00007FFF42CAE000-memory.dmp

Filesize
1.1MB

Download
memory/2780-449-0x00007FFF42CB0000-0x00007FFF42E30000-memory.dmp

Filesize
1.5MB

Download
memory/2780-446-0x00007FFF437E0000-0x00007FFF4385C000-memory.dmp

Filesize
496KB

Download
memory/2780-447-0x00007FFF52770000-0x00007FFF52781000-memory.dmp

Filesize
68KB

Download
memory/2780-436-0x00007FFF55930000-0x00007FFF55951000-memory.dmp

Filesize
132KB

Download
memory/2780-448-0x00007FFF52500000-0x00007FFF52511000-memory.dmp

Filesize
68KB

Download
memory/2780-443-0x00007FFF52A10000-0x00007FFF52A28000-memory.dmp

Filesize
96KB

Download
memory/2780-442-0x00007FFF52A30000-0x00007FFF52A41000-memory.dmp

Filesize
68KB

Download
memory/2780-441-0x00007FFF52A50000-0x00007FFF52A6B000-memory.dmp

Filesize
108KB

Download
memory/2780-440-0x00007FFF52A70000-0x00007FFF52A81000-memory.dmp

Filesize
68KB

Download
memory/2780-439-0x00007FFF52AB0000-0x00007FFF52AC1000-memory.dmp

Filesize
68KB

Download
memory/2780-438-0x00007FFF55E10000-0x00007FFF55E21000-memory.dmp

Filesize
68KB

Download
memory/2780-437-0x00007FFF565D0000-0x00007FFF565E8000-memory.dmp

Filesize
96KB

Download
memory/4496-403-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-247-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-427-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-248-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-249-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-250-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-246-0x0000000002330000-0x00000000023FE000-memory.dmp

Filesize
824KB

Download
memory/4496-251-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-278-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-402-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-404-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4496-491-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download