troldesh | caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583

Analysis

max time kernel
120s
max time network
101s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
Size

924KB
MD5

c2293c2be588a6b531c2ced3ad90e880
SHA1

8d85fb7fbeea7d1eb433f4e1c18d0e6d8072a44f
SHA256

caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583
SHA512

c3c933858f62aef610584fcf7ade1f4e8db21d4fe6d5130cfa12aeef816b663d8182add8cb2691e59efa7829d99057f4a633203e60e6a06cf2573b929fb7d77d
SSDEEP

24576:B8ue3jad03YB+qJS92fAx3xHHn4mu9o/9ult:+uBd6YB+qJS92fAbHIbr

Score

10^/10

troldesh defense_evasion discovery execution impact persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Loads dropped DLL 1 IoCs

pid	Process
2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2724 set thread context of 3052	2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	30

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3052-13-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-18-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-19-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-17-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-14-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-15-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-20-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-24-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-25-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-26-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-27-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-28-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-29-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-30-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-33-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-54-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-55-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-56-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-58-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-59-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-60-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-62-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-63-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-65-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-66-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-68-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-70-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-72-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-74-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-77-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-80-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-84-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-88-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-93-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-99-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-102-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-106-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-105-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-104-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-103-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-101-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-100-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-98-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-97-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-96-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-95-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-94-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-92-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-91-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-90-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-89-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-87-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-86-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-85-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-83-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-82-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-81-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-79-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-78-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-76-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-75-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-73-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-71-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3052-69-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_over.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\gadget.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\localizedSettings.css	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\settings.css	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseover.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\gadget.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\ApproveMeasure.eps	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe

Interacts with shadow copies 3 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2212	vssadmin.exe
2080	vssadmin.exe
2124	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1472	vssvc.exe
Token: SeRestorePrivilege	1472	vssvc.exe
Token: SeAuditPrivilege	1472	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 3052	2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	30
PID 2724 wrote to memory of 3052	2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	30
PID 2724 wrote to memory of 3052	2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	30
PID 2724 wrote to memory of 3052	2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	30
PID 2724 wrote to memory of 3052	2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	30
PID 2724 wrote to memory of 3052	2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	30
PID 2724 wrote to memory of 3052	2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	30
PID 2724 wrote to memory of 3052	2724	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	30
PID 3052 wrote to memory of 2212	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	31
PID 3052 wrote to memory of 2212	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	31
PID 3052 wrote to memory of 2212	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	31
PID 3052 wrote to memory of 2212	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	31
PID 3052 wrote to memory of 2080	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	35
PID 3052 wrote to memory of 2080	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	35
PID 3052 wrote to memory of 2080	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	35
PID 3052 wrote to memory of 2080	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	35
PID 3052 wrote to memory of 2124	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	37
PID 3052 wrote to memory of 2124	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	37
PID 3052 wrote to memory of 2124	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	37
PID 3052 wrote to memory of 2124	3052	caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
"C:\Users\Admin\AppData\Local\Temp\caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe
  "C:\Users\Admin\AppData\Local\Temp\caa1e28ce7dd5960e3dd91f327484e0a3f5da6493b6536617659caf94c54e583N.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe List Shadows
    3⤵
    - Interacts with shadow copies
    PID:2212
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2080
- - C:\Windows\system32\vssadmin.exe
    C:\Windows\system32\vssadmin.exe List Shadows
    3⤵
    - Interacts with shadow copies
    PID:2124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso3F34.tmp\System.dll

Filesize
11KB

MD5
3e6bf00b3ac976122f982ae2aadb1c51

SHA1
caab188f7fdc84d3fdcb2922edeeb5ed576bd31d

SHA256
4ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe

SHA512
1286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706

Download Submit
memory/2724-11-0x0000000002CC0000-0x0000000002D8B000-memory.dmp

Filesize
812KB

Download
memory/2724-16-0x0000000002CC0000-0x0000000002D8B000-memory.dmp

Filesize
812KB

Download
memory/3052-13-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-18-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-19-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-17-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-14-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-15-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-20-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-24-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-25-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-26-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-27-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-28-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-29-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-30-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-33-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-54-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-55-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-56-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-58-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-59-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-60-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-62-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-63-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-65-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-66-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-68-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-70-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-72-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-74-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-77-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-80-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-84-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-88-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-93-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-99-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-102-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-106-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-105-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-104-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-103-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-101-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-100-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-98-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-97-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-96-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-95-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-94-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-92-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-91-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-90-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-89-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-87-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-86-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-85-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-83-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-82-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-81-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-79-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-78-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-76-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-75-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-73-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-71-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-69-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-67-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-61-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3052-57-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download