troldesh | 1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f

General

Target

1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe
Size

976KB
MD5

fc2d1d2825c42a11b56d6e5fd0ef0317
SHA1

321680c5760d9dac5ad5c2c6c0cd1bc638a50b15
SHA256

1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f
SHA512

c70763ac0be9c9448d86a2c5ddfe2ecd8d392f312cbbdfc8fda39f3bc15500d68580c6c0698cb89578b8be54775a2d17f03edf1772c5a0481f4e35eaca798e21

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1276-62-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe

pid	process
1276	1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe
1276	1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe

pid process

1276 1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe

C:\Users\Admin\AppData\Local\Temp\1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1e4b9f225ed46e67fdba49356d0aa837393f4c00b42bd84f7ffbba24c9810d6f.sample.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1276-61-0x0000000000680000-0x0000000000755000-memory.dmp

Filesize
852KB

Download
memory/1276-62-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads