Overview

overview

10

Static

static

3

NoMoreRansom.exe

windows10-1703-x64

Analysis

  • max time kernel
    54s
  • max time network
    56s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-07-2024 18:08

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    NoMoreRansom.exe

  • Size

    1.4MB

  • MD5

    63210f8f1dde6c40a7f3643ccf0ff313

  • SHA1

    57edd72391d710d71bead504d44389d0462ccec9

  • SHA256

    2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

  • SHA512

    87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

  • SSDEEP

    12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score
10/10
troldeshpersistenceransomwaretrojanupx

Malware Config

Signatures

  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe
    "C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    PID:3336
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1804
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CheckpointRedo.doc" /o ""
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:952
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\FindSet.mp3"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4796
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ApproveLimit.png" /ForceBootstrapPaint3D
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3916
    • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
      "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4100
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3af9855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4916

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
      Filesize

      2B

      MD5

      d751713988987e9331980363e24189ce

      SHA1

      97d170e1550eee4afc0af065b78cda302a97674c

      SHA256

      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

      SHA512

      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
      Filesize

      233B

      MD5

      f94d020ba64fe23ab4a1397304e2de1a

      SHA1

      baa741f4bd2a2215eacd453cf5b3f4eaf48105d9

      SHA256

      848723119d02a0a9b9aec6f3ec711f8ac6e7240034bcb4074f478b8e2298263f

      SHA512

      a9772f1a1e03cecf2148fe680c7a77e5e4891bea8f5b47e75fe259f313f476621f8b9c98351a2232e133fcaaf639479f51eab3748bc838aa8a80f27ebc3d801b

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
      Filesize

      2KB

      MD5

      404a3ec24e3ebf45be65e77f75990825

      SHA1

      1e05647cf0a74cedfdeabfa3e8ee33b919780a61

      SHA256

      cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

      SHA512

      a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      265B

      MD5

      3b78ee8ebbef0e1677f3971a1fec4325

      SHA1

      335263a574a2d0fa3f678ef0c51baac797b718c9

      SHA256

      203ee25797bccfa1e3e07a3c94554662703b0374f49d8474457f093446b607c4

      SHA512

      65617a2954955923ca1fa6ffd652a0363cdc3aa0dfd5a395581054974c1b6351b1bfbaa7c3d35e076634c40da0ae5c850f6a717b5d3b601d159a4fd439c97f0a

      Download Submit
    • memory/952-264-0x00007FF9BC4E0000-0x00007FF9BC4F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-263-0x00007FF9BC4E0000-0x00007FF9BC4F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-262-0x00007FF9BC4E0000-0x00007FF9BC4F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-261-0x00007FF9BC4E0000-0x00007FF9BC4F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-11-0x00007FF9BC4E0000-0x00007FF9BC4F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-12-0x00007FF9BC4E0000-0x00007FF9BC4F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-13-0x00007FF9BC4E0000-0x00007FF9BC4F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-14-0x00007FF9BC4E0000-0x00007FF9BC4F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-17-0x00007FF9B8E90000-0x00007FF9B8EA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-18-0x00007FF9B8E90000-0x00007FF9B8EA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3336-10-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-287-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-9-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-6-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-4-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-270-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-373-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-372-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-1-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-2-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3336-0-0x0000000002240000-0x000000000230E000-memory.dmp
      Filesize

      824KB

      Download
    • memory/3336-3-0x0000000000400000-0x00000000005DE000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/4796-286-0x00007FF9DDF50000-0x00007FF9DF000000-memory.dmp
      Filesize

      16.7MB

      Download
    • memory/4796-285-0x00007FF9E00F0000-0x00007FF9E03A6000-memory.dmp
      Filesize

      2.7MB

      Download
    • memory/4796-283-0x00007FF7E4540000-0x00007FF7E4638000-memory.dmp
      Filesize

      992KB

      Download
    • memory/4796-284-0x00007FF9EEB80000-0x00007FF9EEBB4000-memory.dmp
      Filesize

      208KB

      Download