troldesh | 58c03b92235ba0a4d6f397b6ae17d2971575f09f05ecae397d86111f5c2da337

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scans0111.scr
Size

915KB
MD5

bd9018eef261652777c1f1f60abebdbb
SHA1

d30de4c0dffea752c8fe5bc0d86c4b1eba316c99
SHA256

f056fc666d085aa67366bab1f4571cfdcb05535c129cc811925d72b337204e36
SHA512

e7c1b2f81d59d435f12c123cdf256917fc47764e624e0a4d2b8daf4fd09b47cc427cad0134a6f97bf2dc88c1472990b856fd284d27307661eebb35e255852ebb

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1668-58-0x0000000000400000-0x0000000000607000-memory.dmp	upx
behavioral1/memory/1668-59-0x0000000000400000-0x0000000000607000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1808	Scans0111.scr

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Scans0111.scr
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Scans0111.scr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 1668	1808	Scans0111.scr	26

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	Scans0111.scr
1668	Scans0111.scr

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1808	Scans0111.scr

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1668	1808	Scans0111.scr	26
PID 1808 wrote to memory of 1668	1808	Scans0111.scr	26
PID 1808 wrote to memory of 1668	1808	Scans0111.scr	26
PID 1808 wrote to memory of 1668	1808	Scans0111.scr	26
PID 1808 wrote to memory of 1668	1808	Scans0111.scr	26

C:\Users\Admin\AppData\Local\Temp\Scans0111.scr
"C:\Users\Admin\AppData\Local\Temp\Scans0111.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\Scans0111.scr
  "C:\Users\Admin\AppData\Local\Temp\Scans0111.scr" /S
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd53DD.tmp\System.dll

Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
memory/1668-58-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1668-59-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1808-54-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download