Resubmissions
26/02/2025, 17:13
250226-vrvmrsxky4 10Analysis
-
max time kernel
123s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/02/2025, 00:49
Static task
static1
1 signatures
windows7-x64
15 signatures
300 seconds
windows10-2004-x64
7 signatures
300 seconds
General
-
Target
-
Size
1.4MB
-
MD5
63210f8f1dde6c40a7f3643ccf0ff313
-
SHA1
57edd72391d710d71bead504d44389d0462ccec9
-
SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
-
SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
SSDEEP
12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK
Score
10/10
Malware Config
Signatures
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" [email protected] -
resource yara_rule behavioral1/memory/2272-2-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2272-1-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2272-0-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2272-6-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2272-9-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2684 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2272 [email protected] 2272 [email protected] 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2804 taskmgr.exe 304 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2804 taskmgr.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe -
Suspicious use of SendNotifyMessage 42 IoCs
pid Process 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe 2804 taskmgr.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2272 [email protected] -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 304 wrote to memory of 2684 304 rundll32.exe 35 PID 304 wrote to memory of 2684 304 rundll32.exe 35 PID 304 wrote to memory of 2684 304 rundll32.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2272
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\DisableLimit.kix1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DisableLimit.kix2⤵
- Opens file in notepad (likely ransom note)
PID:2684
-