Malware Analysis Report

2025-01-02 14:21

Sample ID 220527-vww2dsabgk
Target 059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6
SHA256 059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6
Tags
troldesh persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6

Threat Level: Known bad

The file 059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6 was found to be: Known bad.

Malicious Activity Summary

troldesh persistence ransomware trojan upx

Troldesh, Shade, Encoder.858

UPX packed file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-27 17:20

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-27 17:20

Reported

2022-05-27 17:43

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe

"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"

C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe

"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 209.197.3.8:80 tcp
N/A 127.0.0.1:49728 tcp
US 208.83.223.34:80 tcp
US 52.168.112.66:443 tcp
JP 76.73.17.194:9090 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
NL 2.17.222.14:80 tcp
SE 171.25.193.9:80 tcp
AT 86.59.21.38:443 tcp
DE 46.19.92.188:9001 tcp
DE 135.125.202.252:9001 tcp
DE 46.4.78.148:9001 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsr985E.tmp\north.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

memory/3948-131-0x0000000002940000-0x0000000002A0D000-memory.dmp

memory/4052-132-0x0000000000000000-mapping.dmp

memory/3948-133-0x0000000002940000-0x0000000002A0D000-memory.dmp

memory/4052-134-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4052-135-0x0000000000400000-0x00000000005DE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-27 17:20

Reported

2022-05-27 17:43

Platform

win7-20220414-en

Max time kernel

116s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe

"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"

C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe

"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49167 tcp
NL 194.109.206.212:443 tcp
AT 86.59.21.38:443 tcp
US 208.83.223.34:80 tcp
US 154.35.32.5:443 tcp
DE 51.75.77.248:443 tcp
DE 148.251.90.48:9001 tcp
DE 85.235.66.146:993 tcp
N/A 127.0.0.1:16610 tcp

Files

memory/1120-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy5765.tmp\north.dll

MD5 a4dd044bcd94e9b3370ccf095b31f896
SHA1 17c78201323ab2095bc53184aa8267c9187d5173
SHA256 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
SHA512 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

memory/1120-56-0x0000000002340000-0x0000000002F8A000-memory.dmp

memory/1484-57-0x00000000005DBD40-mapping.dmp

memory/1484-59-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1484-60-0x0000000000400000-0x00000000005DE000-memory.dmp