Malware Analysis Report

2025-01-02 14:23

Sample ID 220425-cswbksfadl
Target inf.inf
SHA256 fd03dd58aa7cb5236f4df8cde3fb07af304c6f402cd48b86eefcecb8e7b86883
Tags
troldesh discovery persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd03dd58aa7cb5236f4df8cde3fb07af304c6f402cd48b86eefcecb8e7b86883

Threat Level: Known bad

The file inf.inf was found to be: Known bad.

Malicious Activity Summary

troldesh discovery persistence ransomware spyware stealer trojan upx

Troldesh, Shade, Encoder.858

UPX packed file

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-25 02:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-25 02:20

Reported

2022-04-25 02:26

Platform

win7-20220414-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\inf.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\inf.exe

"C:\Users\Admin\AppData\Local\Temp\inf.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49163 tcp
AT 86.59.21.38:443 tcp
JP 76.73.17.194:9090 tcp
US 93.184.220.29:80 tcp
US 208.83.223.34:80 tcp
US 128.31.0.39:9101 tcp
NL 194.109.206.212:443 tcp
DE 193.23.244.244:443 tcp

Files

memory/1088-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

memory/1088-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1088-56-0x0000000000610000-0x00000000006E5000-memory.dmp

memory/1088-57-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-25 02:20

Reported

2022-04-25 02:26

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\inf.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\inf.exe

"C:\Users\Admin\AppData\Local\Temp\inf.exe"

Network

Country Destination Domain Proto
NL 8.238.24.126:80 tcp
N/A 127.0.0.1:49732 tcp
US 208.83.223.34:80 tcp
NL 20.190.160.8:443 tcp
SE 171.25.193.9:80 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
NL 20.190.160.67:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
IE 52.109.76.31:443 tcp
US 8.8.8.8:53 6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
DE 131.188.40.189:443 tcp
DE 193.23.244.244:443 tcp
HU 185.163.204.206:9001 tcp
DE 51.75.77.248:443 tcp
MD 178.175.134.3:9001 tcp

Files

memory/1456-131-0x0000000002380000-0x0000000002455000-memory.dmp

memory/1456-130-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1456-132-0x0000000000400000-0x0000000000608000-memory.dmp