troldesh | 03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218

Analysis

max time kernel
116s
max time network
143s
platform
windows7_x64
resource
win7v200217
submitted
26-03-2020 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Size

1.1MB
MD5

32126de1466136e0b4f39560f3956fb9
SHA1

1f2b679904a40552d24d430529e70c916504aef4
SHA256

03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218
SHA512

50b49d35e8953584e1dc3a9263093ef1be4f75ac6daec1eb18d649ff9228d819166aa0949f9f0f336354ce10ad7f5a71295b1704b86f311c0e3afebbbc9905ec

Score

10^/10

discovery persistence ransomware trojan troldesh

Malware Config

Signatures

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe

Troldesh,Shade,Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1828	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1828	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
1828	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe

Checks for installed software on the system 1 TTPs 28 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe

C:\Users\Admin\AppData\Local\Temp\03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe
"C:\Users\Admin\AppData\Local\Temp\03246cda354d8efbc9e22057cc283609825f15cf33ddc5296deac54c2b540218.exe"
1⤵
- Adds Run entry to start application
- Suspicious use of UnmapMainImage
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-0-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/1828-1-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-2-0x0000000003030000-0x0000000003041000-memory.dmp

Filesize
68KB

Download
memory/1828-3-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-52-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-112-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-161-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-180-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-201-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-216-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-236-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-244-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-245-0x0000000003030000-0x0000000003041000-memory.dmp

Filesize
68KB

Download
memory/1828-246-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-247-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-259-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-270-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-271-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-272-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-274-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-276-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-277-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-278-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-281-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-288-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-290-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-292-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-295-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-303-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-304-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-305-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-307-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-309-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-311-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-313-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-314-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-315-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-316-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-319-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-320-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-323-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-324-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-325-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-328-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-331-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-337-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-348-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-352-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-354-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-355-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-356-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-357-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-358-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-359-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-360-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-361-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-369-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-370-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-376-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-404-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-405-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-406-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-407-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-408-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-410-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-411-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-412-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-413-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-414-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-415-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-416-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-417-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-419-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-420-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-421-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-422-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-423-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-424-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-426-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-427-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-428-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-429-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-431-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-432-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-435-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-436-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-437-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download
memory/1828-438-0x0000000002C20000-0x0000000002C31000-memory.dmp

Filesize
68KB

Download