Overview

overview

10

Static

static

3

Endermanch...om.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 09:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    1.4MB

  • MD5

    63210f8f1dde6c40a7f3643ccf0ff313

  • SHA1

    57edd72391d710d71bead504d44389d0462ccec9

  • SHA256

    2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

  • SHA512

    87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

  • SSDEEP

    12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score
10/10
troldeshdiscoverypersistenceprivilege_escalationransomwaretrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2640
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3780
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3968
    • C:\Windows\System32\gvmh1g.exe
      "C:\Windows\System32\gvmh1g.exe"
      1⤵
        PID:1956
      • C:\Users\Admin\AppData\Local\Temp\[email protected]
        "C:\Users\Admin\AppData\Local\Temp\[email protected]"
        1⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1600
      • C:\Windows\System32\gvmh1g.exe
        "C:\Windows\System32\gvmh1g.exe"
        1⤵
          PID:1536
        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
          "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
          1⤵
          • Modifies system executable filetype association
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:1004

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        2
        T1546

        Change Default File Association

        1
        T1546.001

        Component Object Model Hijacking

        1
        T1546.015

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        2
        T1546

        Change Default File Association

        1
        T1546.001

        Component Object Model Hijacking

        1
        T1546.015

        Defense Evasion

        Modify Registry

        3
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        2
        T1012

        System Information Discovery

        3
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Windows\csrss.exe
          Filesize

          1.4MB

          MD5

          63210f8f1dde6c40a7f3643ccf0ff313

          SHA1

          57edd72391d710d71bead504d44389d0462ccec9

          SHA256

          2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

          SHA512

          87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
          Filesize

          63KB

          MD5

          e516a60bc980095e8d156b1a99ab5eee

          SHA1

          238e243ffc12d4e012fd020c9822703109b987f6

          SHA256

          543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

          SHA512

          9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VNN58CU3\update100[1].xml
          Filesize

          726B

          MD5

          53244e542ddf6d280a2b03e28f0646b7

          SHA1

          d9925f810a95880c92974549deead18d56f19c37

          SHA256

          36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

          SHA512

          4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

          Download Submit

        • memory/1600-30-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/1600-34-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/1600-29-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-38-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-1-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-2-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-40-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-39-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-3-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-28-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-24-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-25-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-33-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-4-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-6-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-0-0x0000000002410000-0x00000000024DE000-memory.dmp

          Filesize

          824KB

          Download

        • memory/2640-23-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-26-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2640-27-0x0000000000400000-0x00000000005DE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3780-20-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3780-17-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3780-10-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3780-16-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3780-18-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3780-19-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3780-21-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3780-15-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3780-11-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3780-9-0x00000220606B0000-0x00000220606B1000-memory.dmp

          Filesize

          4KB

          Download