Malware Analysis Report

2025-01-02 14:23

Sample ID 220425-1j6mysdgd2
Target ashan.russia.zakaz.zip
SHA256 c739a9563ae2eab157316e450824300b219776a52723b028af79b8b4f443ec0d
Tags
troldesh discovery persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c739a9563ae2eab157316e450824300b219776a52723b028af79b8b4f443ec0d

Threat Level: Known bad

The file ashan.russia.zakaz.zip was found to be: Known bad.

Malicious Activity Summary

troldesh discovery persistence ransomware spyware stealer trojan upx

Troldesh, Shade, Encoder.858

Deletes shadow copies

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Blocklisted process makes network request

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-25 21:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-25 21:41

Reported

2022-04-25 21:44

Platform

win7-20220414-en

Max time kernel

151s

Max time network

153s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\____ ______ ______ ___________ ______.js"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Deletes shadow copies

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\weather.js C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\cpu.css C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jre7\lib\jvm.hprof.txt C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\manifest.json C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1724 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2004 wrote to memory of 1724 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2004 wrote to memory of 1724 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 1724 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp
PID 1724 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp
PID 1724 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp
PID 1724 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp
PID 1084 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\system32\vssadmin.exe
PID 1084 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp C:\Windows\SysWOW64\cmd.exe
PID 108 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 108 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 108 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 108 wrote to memory of 660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\____ ______ ______ ___________ ______.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp

C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp

C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

C:\Windows\system32\vssadmin.exe List Shadows

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe

C:\Windows\SysWOW64\chcp.com

chcp

Network

Country Destination Domain Proto
US 8.8.8.8:53 brewmethods.com udp
US 188.114.97.0:80 brewmethods.com tcp
US 188.114.97.0:443 brewmethods.com tcp
N/A 127.0.0.1:49172 tcp
DE 131.188.40.189:443 tcp
NL 194.109.206.212:443 tcp
US 208.83.223.34:80 tcp
FR 86.253.129.31:9001 tcp
FR 51.254.114.203:9001 tcp
NL 95.211.136.23:443 tcp
N/A 127.0.0.1:50379 tcp
N/A 127.0.0.1:50379 tcp
N/A 127.0.0.1:50379 tcp
N/A 127.0.0.1:50379 tcp
N/A 127.0.0.1:50379 tcp
N/A 127.0.0.1:50379 tcp

Files

memory/2004-54-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmp

memory/1724-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp

MD5 87ab5f476d4351224d893e267cc30d3b
SHA1 22e1fefd40bde744c165d316db26e88b5f4e6e70
SHA256 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
SHA512 7eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183

memory/1084-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rad820DA.tmp

MD5 87ab5f476d4351224d893e267cc30d3b
SHA1 22e1fefd40bde744c165d316db26e88b5f4e6e70
SHA256 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
SHA512 7eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183

memory/1084-59-0x00000000002D0000-0x00000000003A5000-memory.dmp

memory/1084-60-0x0000000076191000-0x0000000076193000-memory.dmp

memory/1084-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1084-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2020-63-0x0000000000000000-mapping.dmp

memory/524-64-0x0000000000000000-mapping.dmp

memory/1736-65-0x0000000000000000-mapping.dmp

memory/108-66-0x0000000000000000-mapping.dmp

memory/660-67-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-25 21:41

Reported

2022-04-25 21:44

Platform

win10v2004-20220414-en

Max time kernel

137s

Max time network

152s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\____ ______ ______ ___________ ______.js"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 2556 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2592 wrote to memory of 2556 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\cmd.exe
PID 2556 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp
PID 2556 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp
PID 2556 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\____ ______ ______ ___________ ______.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp

C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp

C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp

Network

Country Destination Domain Proto
US 8.8.8.8:53 brewmethods.com udp
US 188.114.97.0:80 brewmethods.com tcp
US 188.114.97.0:443 brewmethods.com tcp
US 188.114.96.0:443 brewmethods.com tcp
N/A 127.0.0.1:49747 tcp
DE 131.188.40.189:443 tcp
DE 193.23.244.244:443 tcp
FR 5.39.69.166:9001 tcp
FR 51.75.143.150:9001 tcp
US 185.220.103.111:443 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
IE 52.109.76.31:443 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 127.0.0.1:53299 tcp

Files

memory/2556-130-0x0000000000000000-mapping.dmp

memory/1724-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp

MD5 87ab5f476d4351224d893e267cc30d3b
SHA1 22e1fefd40bde744c165d316db26e88b5f4e6e70
SHA256 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
SHA512 7eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183

C:\Users\Admin\AppData\Local\Temp\radB0D00.tmp

MD5 87ab5f476d4351224d893e267cc30d3b
SHA1 22e1fefd40bde744c165d316db26e88b5f4e6e70
SHA256 ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab
SHA512 7eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183

memory/1724-134-0x00000000023C0000-0x0000000002495000-memory.dmp

memory/1724-135-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-136-0x0000000000400000-0x0000000000608000-memory.dmp