troldesh | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

Analysis

max time kernel
90s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoMoreRansom.exe
Size

1.4MB
MD5

63210f8f1dde6c40a7f3643ccf0ff313
SHA1

57edd72391d710d71bead504d44389d0462ccec9
SHA256

2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512

87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
SSDEEP

12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1488-1-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-2-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-4-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-3-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-5-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-25-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-26-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-27-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-28-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-126-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-127-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-150-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1488-195-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	PaintStudio.View.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	PaintStudio.View.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\MuiCache	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2408	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1100	PaintStudio.View.exe
4276	WINWORD.EXE
4276	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1488	NoMoreRansom.exe
1488	NoMoreRansom.exe
1488	NoMoreRansom.exe
1488	NoMoreRansom.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
3412	mspaint.exe
3412	mspaint.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5372	taskmgr.exe
Token: SeSystemProfilePrivilege	5372	taskmgr.exe
Token: SeCreateGlobalPrivilege	5372	taskmgr.exe
Token: 33	5372	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5372	taskmgr.exe
Token: SeDebugPrivilege	1100	PaintStudio.View.exe
Token: SeDebugPrivilege	1100	PaintStudio.View.exe
Token: SeDebugPrivilege	1100	PaintStudio.View.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe
5372	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3412	mspaint.exe
1100	PaintStudio.View.exe
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE
4276	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5372

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InitializeUnprotect.jpeg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3540

C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnregisterOpen.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2408

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RegisterTest.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
237B

MD5
b69f7c8c9acbcc89e41203beded2b074

SHA1
ad2cb77f4f15572842f473467aac13bde6185545

SHA256
0c244e14c17c9d2710b32307fcc71736dfeb29419854c648cb263c2527979051

SHA512
9f0a94b90e22c9904fe8f440b6a6ac5876b9055d52fce418ef362cb1b4da147a1f8af29a0a249cf407ec1b38c571615cb8b90292e1fbae8aef145fb95335c182

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
238B

MD5
c70fe1f32525045ec5c952500c7b6ab2

SHA1
d1766f31a834b713e8504ab5c3d608181c7902d3

SHA256
6c690ca8d6a9434274eaa244a732a3b7cd9d5ea554e7af00a23611bc874983bb

SHA512
69d108c3d7189b7850232e29499ab2bc8f1e92fd8415ee043a6fc773afa8bd8eb4f5705427dfed89da4e8f19604444dea02950d445b56b8609eb29dc5e39ef9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
f4e4a03ebd0ab3a953c56a300d61d223

SHA1
97a9acf22c3bdd6989d7c120c21077c4d5a9a80e

SHA256
52bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc

SHA512
12aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
321B

MD5
2606beb7c2fb79a5e2fd4256ddfb1bfe

SHA1
656ea2957c07e4322f4231d52e208dc2473e55f3

SHA256
75af2f84323cb1e73270787cdf61d44d00303b7d8a1160836875b42a21f0918b

SHA512
9d6de9cf92bc26d487745e1350b379364a037b4df2037b368a91928341cc7f50d268a51f04d246a5a69a0584fc4ebd005226cd9cf2f121c8098dd6fd48c93eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
12B

MD5
f6f801e5b0502f5e803ed826dd37ae44

SHA1
273e87aa518397186653443c0c3e81d574361708

SHA256
e7bcd23ba708556ee69f96050dc7e74f9dab95825bfab48bcea7fd8fac482fd1

SHA512
8fe0217b9c7f9331664dc4259c7924b9c7e5e145f0b795ec98d713e41a2e3d001014b3ac41071fe41447632ddbfbbefc8c7d6de8fa9faeca455a0a78575e5584

Download Submit
memory/1488-195-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-26-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-150-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-5-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-0-0x00000000023B0000-0x000000000247E000-memory.dmp

Filesize
824KB

Download
memory/1488-127-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-126-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-3-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-4-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-2-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-1-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-25-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-27-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1488-28-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3540-29-0x000001383DBC0000-0x000001383DBD0000-memory.dmp

Filesize
64KB

Download
memory/3540-33-0x000001383E360000-0x000001383E370000-memory.dmp

Filesize
64KB

Download
memory/3540-40-0x0000013846EB0000-0x0000013846EB1000-memory.dmp

Filesize
4KB

Download
memory/3540-42-0x0000013846F30000-0x0000013846F31000-memory.dmp

Filesize
4KB

Download
memory/3540-44-0x0000013846F30000-0x0000013846F31000-memory.dmp

Filesize
4KB

Download
memory/3540-45-0x0000013846FC0000-0x0000013846FC1000-memory.dmp

Filesize
4KB

Download
memory/3540-46-0x0000013846FC0000-0x0000013846FC1000-memory.dmp

Filesize
4KB

Download
memory/3540-47-0x0000013846FD0000-0x0000013846FD1000-memory.dmp

Filesize
4KB

Download
memory/3540-48-0x0000013846FD0000-0x0000013846FD1000-memory.dmp

Filesize
4KB

Download
memory/4276-130-0x00007FFA35E10000-0x00007FFA35E20000-memory.dmp

Filesize
64KB

Download
memory/4276-133-0x00007FFA33890000-0x00007FFA338A0000-memory.dmp

Filesize
64KB

Download
memory/4276-191-0x00007FFA35E10000-0x00007FFA35E20000-memory.dmp

Filesize
64KB

Download
memory/4276-194-0x00007FFA35E10000-0x00007FFA35E20000-memory.dmp

Filesize
64KB

Download
memory/4276-193-0x00007FFA35E10000-0x00007FFA35E20000-memory.dmp

Filesize
64KB

Download
memory/4276-192-0x00007FFA35E10000-0x00007FFA35E20000-memory.dmp

Filesize
64KB

Download
memory/4276-128-0x00007FFA35E10000-0x00007FFA35E20000-memory.dmp

Filesize
64KB

Download
memory/4276-134-0x00007FFA33890000-0x00007FFA338A0000-memory.dmp

Filesize
64KB

Download
memory/4276-129-0x00007FFA35E10000-0x00007FFA35E20000-memory.dmp

Filesize
64KB

Download
memory/4276-131-0x00007FFA35E10000-0x00007FFA35E20000-memory.dmp

Filesize
64KB

Download
memory/4276-132-0x00007FFA35E10000-0x00007FFA35E20000-memory.dmp

Filesize
64KB

Download
memory/5372-17-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download
memory/5372-22-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download
memory/5372-23-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download
memory/5372-13-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download
memory/5372-11-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download
memory/5372-21-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download
memory/5372-20-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download
memory/5372-19-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download
memory/5372-18-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download
memory/5372-12-0x000002648DF10000-0x000002648DF11000-memory.dmp

Filesize
4KB

Download