Malware Analysis Report

2025-01-02 14:20

Sample ID 220525-1114sseac6
Target msg.jpg
SHA256 4d00ce6c7237134b00cde4b24f1c6dfaffb031cf84845a8bae2a5e5ece8f5434
Tags
troldesh discovery persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d00ce6c7237134b00cde4b24f1c6dfaffb031cf84845a8bae2a5e5ece8f5434

Threat Level: Known bad

The file msg.jpg was found to be: Known bad.

Malicious Activity Summary

troldesh discovery persistence ransomware spyware stealer trojan upx

Troldesh, Shade, Encoder.858

UPX packed file

Reads user/profile data of web browsers

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-25 22:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-25 22:07

Reported

2022-05-25 22:10

Platform

win7-20220414-en

Max time kernel

138s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\msg.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\msg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\msg.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\msg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msg.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\msg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\msg.exe

"C:\Users\Admin\AppData\Local\Temp\msg.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49164 tcp
US 208.83.223.34:80 tcp
US 154.35.32.5:443 tcp
DE 193.23.244.244:443 tcp
AT 86.59.21.38:443 tcp
US 144.172.73.50:443 tcp
FR 5.39.69.166:9001 tcp
GB 188.127.69.60:443 tcp
N/A 127.0.0.1:58056 tcp

Files

memory/1984-54-0x00000000752D1000-0x00000000752D3000-memory.dmp

memory/1984-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1984-56-0x0000000000220000-0x00000000002F5000-memory.dmp

memory/1984-57-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-25 22:07

Reported

2022-05-25 22:10

Platform

win10v2004-20220414-en

Max time kernel

153s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\msg.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\msg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\msg.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\msg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\msg.exe

"C:\Users\Admin\AppData\Local\Temp\msg.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49745 tcp
DE 193.23.244.244:443 tcp
US 52.182.141.63:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
JP 76.73.17.194:9090 tcp
SE 171.25.193.9:80 tcp
US 128.31.0.39:9101 tcp
DE 132.252.186.185:443 tcp
DE 185.216.179.206:443 tcp
DE 80.151.72.223:8001 tcp

Files

memory/3960-130-0x0000000002240000-0x0000000002315000-memory.dmp

memory/3960-131-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3960-132-0x0000000000400000-0x0000000000608000-memory.dmp