Analysis Overview
SHA256
059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6
Threat Level: Known bad
The file 059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6 was found to be: Known bad.
Malicious Activity Summary
Troldesh, Shade, Encoder.858
UPX packed file
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-27 17:20
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-27 17:20
Reported
2022-05-27 17:43
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
171s
Command Line
Signatures
Troldesh, Shade, Encoder.858
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3948 set thread context of 4052 | N/A | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe
"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"
C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe
"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| N/A | 127.0.0.1:49728 | tcp | |
| US | 208.83.223.34:80 | tcp | |
| US | 52.168.112.66:443 | tcp | |
| JP | 76.73.17.194:9090 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| NL | 2.17.222.14:80 | tcp | |
| SE | 171.25.193.9:80 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| DE | 46.19.92.188:9001 | tcp | |
| DE | 135.125.202.252:9001 | tcp | |
| DE | 46.4.78.148:9001 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsr985E.tmp\north.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
memory/3948-131-0x0000000002940000-0x0000000002A0D000-memory.dmp
memory/4052-132-0x0000000000000000-mapping.dmp
memory/3948-133-0x0000000002940000-0x0000000002A0D000-memory.dmp
memory/4052-134-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4052-135-0x0000000000400000-0x00000000005DE000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-27 17:20
Reported
2022-05-27 17:43
Platform
win7-20220414-en
Max time kernel
116s
Max time network
170s
Command Line
Signatures
Troldesh, Shade, Encoder.858
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1120 set thread context of 1484 | N/A | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe
"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"
C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe
"C:\Users\Admin\AppData\Local\Temp\059d1010c046899fa9e02dff0b24d5c511eac92e2ad5e0f3118ab9d6ff16c9c6.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49167 | tcp | |
| NL | 194.109.206.212:443 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| US | 208.83.223.34:80 | tcp | |
| US | 154.35.32.5:443 | tcp | |
| DE | 51.75.77.248:443 | tcp | |
| DE | 148.251.90.48:9001 | tcp | |
| DE | 85.235.66.146:993 | tcp | |
| N/A | 127.0.0.1:16610 | tcp |
Files
memory/1120-54-0x00000000753B1000-0x00000000753B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsy5765.tmp\north.dll
| MD5 | a4dd044bcd94e9b3370ccf095b31f896 |
| SHA1 | 17c78201323ab2095bc53184aa8267c9187d5173 |
| SHA256 | 2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc |
| SHA512 | 87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a |
memory/1120-56-0x0000000002340000-0x0000000002F8A000-memory.dmp
memory/1484-57-0x00000000005DBD40-mapping.dmp
memory/1484-59-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/1484-60-0x0000000000400000-0x00000000005DE000-memory.dmp