Overview
overview
10Static
static
10Malware-1-...30.exe
windows11-21h2-x64
10Malware-1-...40.exe
windows11-21h2-x64
10Malware-1-...32.exe
windows11-21h2-x64
10Malware-1-.../5.exe
windows11-21h2-x64
10Malware-1-...91.exe
windows11-21h2-x64
10Malware-1-...ey.exe
windows11-21h2-x64
7Malware-1-...ad.exe
windows11-21h2-x64
3Malware-1-...ti.exe
windows11-21h2-x64
5Malware-1-...an.bat
windows11-21h2-x64
7Malware-1-...an.exe
windows11-21h2-x64
5Malware-1-...ve.bat
windows11-21h2-x64
7Malware-1-...ve.exe
windows11-21h2-x64
6Malware-1-...ya.exe
windows11-21h2-x64
Malware-1-...re.exe
windows11-21h2-x64
10Malware-1-...ry.exe
windows11-21h2-x64
10Malware-1-...ck.exe
windows11-21h2-x64
3Malware-1-...he.exe
windows11-21h2-x64
10Malware-1-...op.exe
windows11-21h2-x64
7Malware-1-...rb.exe
windows11-21h2-x64
10Malware-1-...ue.exe
windows11-21h2-x64
1Malware-1-...ng.exe
windows11-21h2-x64
6Malware-1-...kt.bat
windows11-21h2-x64
7Malware-1-...o3.exe
windows11-21h2-x64
10Malware-1-...ey.exe
windows11-21h2-x64
10Malware-1-.../m.exe
windows11-21h2-x64
Malware-1-...o3.exe
windows11-21h2-x64
9Malware-1-...32.exe
windows11-21h2-x64
10Malware-1-...nf.exe
windows11-21h2-x64
10Malware-1-.../o.exe
windows11-21h2-x64
3Malware-1-...B8.exe
windows11-21h2-x64
10Malware-1-...ig.exe
windows11-21h2-x64
10Malware-1-...rv.exe
windows11-21h2-x64
10Analysis
-
max time kernel
890s -
max time network
458s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/01/2025, 13:33
Behavioral task
behavioral1
Sample
Malware-1-master/2530.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Malware-1-master/2887140.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Malware-1-master/32.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Malware-1-master/5.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Malware-1-master/96591.exe
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Malware-1-master/Amadey.exe
Resource
win11-20241007-en
Behavioral task
behavioral7
Sample
Malware-1-master/Download.exe
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
Malware-1-master/Illuminati.exe
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
Malware-1-master/MEMZ-Clean.bat
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
Malware-1-master/MEMZ-Clean.exe
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
Malware-1-master/MEMZ-Destructive.bat
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
Malware-1-master/MEMZ-Destructive.exe
Resource
win11-20241023-en
Behavioral task
behavioral13
Sample
Malware-1-master/Petya.exe
Resource
win11-20241007-en
Behavioral task
behavioral14
Sample
Malware-1-master/Software.exe
Resource
win11-20241007-en
Behavioral task
behavioral15
Sample
Malware-1-master/WannaCry.exe
Resource
win11-20241007-en
Behavioral task
behavioral16
Sample
Malware-1-master/Win32.EvilClusterFuck.exe
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
Malware-1-master/apache.exe
Resource
win11-20241007-en
Behavioral task
behavioral18
Sample
Malware-1-master/butterflyondesktop.exe
Resource
win11-20241023-en
Behavioral task
behavioral19
Sample
Malware-1-master/crb.exe
Resource
win11-20241007-en
Behavioral task
behavioral20
Sample
Malware-1-master/eternalblue.exe
Resource
win11-20241007-en
Behavioral task
behavioral21
Sample
Malware-1-master/fear.png.exe
Resource
win11-20241007-en
Behavioral task
behavioral22
Sample
Malware-1-master/getr3kt.bat
Resource
win11-20241007-en
Behavioral task
behavioral23
Sample
Malware-1-master/iimo3.exe
Resource
win11-20241007-en
Behavioral task
behavioral24
Sample
Malware-1-master/jey.exe
Resource
win11-20241007-en
Behavioral task
behavioral25
Sample
Malware-1-master/m.exe
Resource
win11-20241007-en
Behavioral task
behavioral26
Sample
Malware-1-master/mo3.exe
Resource
win11-20241007-en
Behavioral task
behavioral27
Sample
Malware-1-master/mo332.exe
Resource
win11-20241007-en
Behavioral task
behavioral28
Sample
Malware-1-master/mysqlconf.exe
Resource
win11-20241007-en
Behavioral task
behavioral29
Sample
Malware-1-master/o.exe
Resource
win11-20241007-en
Behavioral task
behavioral30
Sample
Malware-1-master/qOA7iZJcoB8.exe
Resource
win11-20241007-en
Behavioral task
behavioral31
Sample
Malware-1-master/rig.exe
Resource
win11-20241007-en
Behavioral task
behavioral32
Sample
Malware-1-master/sserv.exe
Resource
win11-20241007-en
General
-
Target
Malware-1-master/sserv.exe
-
Size
1.3MB
-
MD5
c90cf61a0eaa05c312f7b77a09127bc9
-
SHA1
cb63424ccc3f5606ba789cf69b57356c35e89f15
-
SHA256
ea06a7494932ab6c092151d25da6161eaf724f04881ff07f2f30cfc622eec33e
-
SHA512
9db8e3533122e8f0cdd3b097dc56236d27bee5daf42f8d5eb912db52293e4a4b2357a6c97816e527caab791f920538b133b3432dbcb65331d5bf2b197733a937
-
SSDEEP
24576:bSyLtIBYWFkfV0hfPnZBdWGktI7ie8ydTF4EWCA:fKBlNfPjd1ktOie8y1FzA
Malware Config
Signatures
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" sserv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" sserv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: sserv.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\AEDCE7AFAEDCE7AF.bmp" sserv.exe -
resource yara_rule behavioral32/memory/3604-1-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-2-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-3-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-4-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-5-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-8-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-7-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-12-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-13-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-14-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-15-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-16-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-17-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-18-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-19-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-22-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-23-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-24-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-25-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-26-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-27-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-28-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-29-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-30-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-31-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-32-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-33-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-34-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-35-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-36-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-37-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-38-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-39-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-40-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-41-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-42-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-43-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-44-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-45-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-46-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-47-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-48-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-49-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-50-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-51-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-52-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-53-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-54-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-55-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-56-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-57-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-58-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-59-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-60-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-61-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-62-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-63-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-64-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-65-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-66-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-67-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-68-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-69-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral32/memory/3604-70-0x0000000000400000-0x0000000000607000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-100.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleWideTile.scale-200.png sserv.exe File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\1850_40x40x32.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\Square44x44Logo.targetsize-48_altform-unplated.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchStoreLogo.scale-200.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateAppIcon.targetsize-24.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-72_altform-lightunplated.png sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\react\jsx-dev-runtime.js sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\GroupedList.js sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-96.png sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36.png sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\AppxManifest.xml sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-40_altform-lightunplated.png sserv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt sserv.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib\getChildren.js sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-125.png sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-256.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-400_contrast-white.png sserv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\webviewCore.min.js sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-24.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-32.png sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-16.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-125_contrast-white.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchAppList.targetsize-24.png sserv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom\getWindow.js sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-64_altform-unplated.png sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-250.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreBadgeLogo.scale-200.png sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-150.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-30_altform-lightunplated_contrast-black.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchWideTile.scale-200.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-24_altform-lightunplated.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\NewsStoreLogo.scale-125.png sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib\IStyleSet.js sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Text.js sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\FocusZone.js sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\config\tests.js sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-commonjs\IStyleOptions.js sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Dropdown.js sserv.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml sserv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSplashScreen.contrast-black_scale-100.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\cancelled.slk sserv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.targetsize-30_altform-lightunplated.png sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-150.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-16_contrast-white.png sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\modalize.js sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\selection\Selection.js sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Utilities.js sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-200.png sserv.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-150.png sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-lightunplated_contrast-black.png sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\Theme.js sserv.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Coachmark.js sserv.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png sserv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sserv.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 776 vssadmin.exe 4072 vssadmin.exe 4920 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4249425805-3408538557-1766626484-1000\{AFBBAB57-A6E3-408C-A786-B1083EFF168D} explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3604 sserv.exe 3604 sserv.exe 3604 sserv.exe 3604 sserv.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeBackupPrivilege 3528 vssvc.exe Token: SeRestorePrivilege 3528 vssvc.exe Token: SeAuditPrivilege 3528 vssvc.exe Token: SeShutdownPrivilege 3448 explorer.exe Token: SeCreatePagefilePrivilege 3448 explorer.exe Token: SeShutdownPrivilege 3448 explorer.exe Token: SeCreatePagefilePrivilege 3448 explorer.exe Token: SeShutdownPrivilege 3448 explorer.exe Token: SeCreatePagefilePrivilege 3448 explorer.exe Token: SeShutdownPrivilege 3448 explorer.exe Token: SeCreatePagefilePrivilege 3448 explorer.exe Token: SeShutdownPrivilege 3448 explorer.exe Token: SeCreatePagefilePrivilege 3448 explorer.exe Token: SeShutdownPrivilege 3448 explorer.exe Token: SeCreatePagefilePrivilege 3448 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3448 explorer.exe 3448 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 3448 explorer.exe 3448 explorer.exe 3448 explorer.exe 3448 explorer.exe 3448 explorer.exe 3448 explorer.exe 3448 explorer.exe 3448 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3604 wrote to memory of 4072 3604 sserv.exe 78 PID 3604 wrote to memory of 4072 3604 sserv.exe 78 PID 3604 wrote to memory of 4920 3604 sserv.exe 82 PID 3604 wrote to memory of 4920 3604 sserv.exe 82 PID 3604 wrote to memory of 776 3604 sserv.exe 84 PID 3604 wrote to memory of 776 3604 sserv.exe 84 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Malware-1-master\sserv.exe"C:\Users\Admin\AppData\Local\Temp\Malware-1-master\sserv.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:4072
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:4920
-
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
PID:776
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD54ca77a174ad61b28e1a796b480eed85f
SHA1ec61195cad0702730802d3e2b57d31b24495a2ea
SHA2566412033e94c223166733d762508b28fc47a9b3cf5d493c246d5df95b030835ab
SHA5128145d355869b970989f0a4aa73e2f14bb5bd34961eb107c9148c29d23fb029e0a43816a3a8f9614529619f22d65598aec95a12515e30b9b9659ed8ca3954ee43