Resubmissions
17-04-2024 15:10
240417-skjktade45 1017-04-2024 15:10
240417-skhzaade44 1017-04-2024 15:10
240417-skhcrafa4s 1017-04-2024 15:10
240417-skgq8ade42 1017-04-2024 15:10
240417-skgffsde39 1015-04-2024 12:57
240415-p6157shb6w 1015-04-2024 12:56
240415-p6n6mshb5y 1015-04-2024 12:56
240415-p6ft9seh37 1015-04-2024 12:56
240415-p6exzaeh36 1015-04-2024 12:56
240415-p6d1nseh34 10Analysis
-
max time kernel
1191s -
max time network
1170s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17-04-2024 15:10
General
-
Target
02e8c7af3724ff535da627197920ad14.exe
-
Size
1.2MB
-
MD5
02e8c7af3724ff535da627197920ad14
-
SHA1
794bd6f52a9673e1146321fa2545c580858c0d5f
-
SHA256
ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c
-
SHA512
8a8710ffced04c30f5c43c71ebcbcf56f7b096836f67d1a847db4a8df4f39e291f3e7119f45f03fa1ca0abd0021f81abd31bb775fa22fe2340c1cf24f19f2555
-
SSDEEP
24576:XHtrdKYVVSrqGDohJ3STZG8vIn/sCBGnWsY0Dyk:XHtV7GwBSTc8An/4YFk
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 64 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe List Shadows2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\System32\xfsFilesize
56KB
MD5377490d894abc657c01ba95f80624a3c
SHA117f516f660b4f241cd98ffe85f9a82acf916d244
SHA2567148e23f14c52d85e13870d73943b5a3f70812b7dc26c982f5cf99b197d00e05
SHA51247aa1b8817afdfbb9d77f97d14bda754d049cdd3f3f2c387c3343a117c66be848cc54b574bf381ba8b13336064f456ba2be11c4926fa3bbe97e60d1330c00a99
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\NALEMIPE\microsoft.windows[1].xmlFilesize
97B
MD51a0f82abef3a73cb99d7b8525f3c3607
SHA11214cadfc29b44294ad9e84ba3d5cb3636bf94fc
SHA256033af9335ae530eb0f7e399361d9a8fccc2a0cf141a1977f81c6314f9300f61c
SHA512ef30655d62d1a00986fcfbec2a3813306f8971113dca0f54a17c36b53c385aab405d3f5065b1aa4a241fa146d0e057512232684626cf2830dc559c82d6739d55
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133578635813514778.txtFilesize
2KB
MD5ecaea544af9da1114077b951d8cb520d
SHA15820b2d71e7b2543cf1804eb91716c4e9f732fde
SHA2569117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6
SHA512dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.datFilesize
1KB
MD59fcc398bc87c2aa1e8558cf8f88c0f8a
SHA193a92dd50a5834d29d8257d2ab19ef744533ab60
SHA256b8a10cca892477d84d03a204e49e60554d172a232a7fa90619129493e2615b11
SHA5126334863781b3ec575afa83e941aeb174b261a7371f927b0e248881ce1a1f6f917faafe895d2c6807f90d7d1c1b5215fea2607576e3af542b3c725bf333d332f6
-
memory/3900-0-0x00000000022B0000-0x0000000002385000-memory.dmpFilesize
852KB
-
memory/3900-1-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-2-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-3-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-4-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-5-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-8-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-11-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-12-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-13-0x00000000022B0000-0x0000000002385000-memory.dmpFilesize
852KB
-
memory/3900-14-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-15-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-16-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-17-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-18-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-21-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-22-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-23-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-24-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-25-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-26-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-27-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-28-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-29-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-30-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-31-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-32-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-33-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-34-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-35-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-36-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-37-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-38-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-39-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-40-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-41-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-42-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-43-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-44-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-45-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-46-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-47-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-48-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-49-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-50-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-51-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-52-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-53-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-54-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-55-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-56-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-57-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-58-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-59-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-60-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-61-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-62-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-63-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-64-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-65-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-66-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-67-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-68-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-69-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-70-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-71-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/3900-72-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB