Overview

overview

10

Static

static

3

Endermanch...om.exe

windows7-x64

10

Endermanch...om.exe

windows10-2004-x64

10

Resubmissions

26/02/2025, 17:13

250226-vrvmrsxky4 10

Analysis

  • max time kernel
    80s
  • max time network
    84s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/02/2025, 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    1.4MB

  • MD5

    63210f8f1dde6c40a7f3643ccf0ff313

  • SHA1

    57edd72391d710d71bead504d44389d0462ccec9

  • SHA256

    2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

  • SHA512

    87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

  • SSDEEP

    12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score
10/10
troldeshdiscoverypersistenceprivilege_escalationransomwaretrojanupx

Malware Config

Signatures

  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2104
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3028
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
      1⤵
      • Modifies system executable filetype association
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3740
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault63c66fe7h7940h4919h8233h2cabaf256cce
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fffc4bf46f8,0x7fffc4bf4708,0x7fffc4bf4718
        2⤵
          PID:3900
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17590749715553764868,12638972617096604953,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
          2⤵
            PID:728
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17590749715553764868,12638972617096604953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2856
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,17590749715553764868,12638972617096604953,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
            2⤵
              PID:3596
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:5124
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:5232
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /6
                1⤵
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:5376

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Event Triggered Execution

              2
              T1546

              Change Default File Association

              1
              T1546.001

              Component Object Model Hijacking

              1
              T1546.015

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Event Triggered Execution

              2
              T1546

              Change Default File Association

              1
              T1546.001

              Component Object Model Hijacking

              1
              T1546.015

              Defense Evasion

              Modify Registry

              3
              T1112

              Credential Access

              Discovery

              Browser Information Discovery

              1
              T1217

              Peripheral Device Discovery

              1
              T1120

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              System Location Discovery

              1
              T1614

              System Language Discovery

              1
              T1614.001

              Lateral Movement

              Collection

              Command and Control

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                Filesize

                152B

                MD5

                0621e31d12b6e16ab28de3e74462a4ce

                SHA1

                0af6f056aff6edbbc961676656d8045cbe1be12b

                SHA256

                1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

                SHA512

                bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                Filesize

                61B

                MD5

                4df4574bfbb7e0b0bc56c2c9b12b6c47

                SHA1

                81efcbd3e3da8221444a21f45305af6fa4b71907

                SHA256

                e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

                SHA512

                78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                Filesize

                6KB

                MD5

                f83e03a0e1cf0359bc831100c69e93ef

                SHA1

                0a49c6d157ab597b7cf98be6690b0e6b7d38ab49

                SHA256

                43c80dc501a9b4d34dae3b523fbca2edca89291d6e799e7369187fab178ebb91

                SHA512

                82207a257981f3346afa7b93ff1e27d52be30cde23ad0c64ec89712ec5e9006c6e777fc786928ba444b8afcbbea2771bc591ddf2ececc3a2e542a1fe236fd317

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                Filesize

                8KB

                MD5

                c8c4d60945ab662ace81cb1be92e24be

                SHA1

                a990a6150f855425d18b3048359044e649094c38

                SHA256

                1f5d8ad360f7dc77343496ea17102790306fac875238cf670cb0430dc0f220ce

                SHA512

                7c73a6717a9a439430cb54b0137477afa5d778be55b19f97626808e7786cd1bf00d9d3b210cb1b4aa27c058bf4cd6846c6d9485d40c48e27076a8df5542bf1bd

                Download Submit

              • memory/2104-10-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-85-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-0-0x0000000002380000-0x000000000244E000-memory.dmp

                Filesize

                824KB

                Download

              • memory/2104-11-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-12-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-28-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-29-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-32-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-5-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-3-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-4-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-2-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-1-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-9-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/2104-99-0x0000000000400000-0x00000000005DE000-memory.dmp

                Filesize

                1.9MB

                Download

              • memory/5376-87-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5376-88-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5376-94-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5376-98-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5376-96-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5376-97-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5376-95-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5376-93-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5376-92-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5376-86-0x00000131212F0000-0x00000131212F1000-memory.dmp

                Filesize

                4KB

                Download