Malware Analysis Report

2025-01-02 14:23

Sample ID 220427-c3scnsfhb7
Target inf.inf
SHA256 fd03dd58aa7cb5236f4df8cde3fb07af304c6f402cd48b86eefcecb8e7b86883
Tags
troldesh discovery persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd03dd58aa7cb5236f4df8cde3fb07af304c6f402cd48b86eefcecb8e7b86883

Threat Level: Known bad

The file inf.inf was found to be: Known bad.

Malicious Activity Summary

troldesh discovery persistence ransomware spyware stealer trojan upx

Troldesh, Shade, Encoder.858

UPX packed file

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-27 02:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-27 02:36

Reported

2022-04-27 02:39

Platform

win7-20220414-en

Max time kernel

127s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\inf.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\inf.exe

"C:\Users\Admin\AppData\Local\Temp\inf.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
N/A 127.0.0.1:49165 tcp
US 208.83.223.34:80 tcp
NL 194.109.206.212:443 tcp
JP 76.73.17.194:9090 tcp

Files

memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

memory/1724-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-56-0x00000000002C0000-0x0000000000395000-memory.dmp

memory/1724-57-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-27 02:36

Reported

2022-04-27 02:39

Platform

win10v2004-20220414-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\inf.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\inf.exe

"C:\Users\Admin\AppData\Local\Temp\inf.exe"

Network

Country Destination Domain Proto
US 8.253.164.248:80 tcp
N/A 127.0.0.1:49714 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
SE 171.25.193.9:80 tcp
AT 86.59.21.38:443 tcp
US 154.35.32.5:443 tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
NL 51.15.74.130:9001 tcp
FR 62.210.205.228:443 tcp
FR 51.75.143.145:9001 tcp
US 52.168.117.170:443 tcp
N/A 127.0.0.1:47467 tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
N/A 127.0.0.1:47467 tcp

Files

memory/3328-130-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3328-131-0x00000000023D0000-0x00000000024A5000-memory.dmp

memory/3328-132-0x0000000000400000-0x0000000000608000-memory.dmp