troldesh | b1f13a9ef3da3c9bd2cfd0fcfd7368b48346a6995a91dd0edca12557773a7763

General

Target

360realpro.exe
Size

1.5MB
MD5

6f4a3bce5a21f15c57b1fb175048a374
SHA1

0c6fbba46356f5ed4a11b593fafd6cb89ee95038
SHA256

b1f13a9ef3da3c9bd2cfd0fcfd7368b48346a6995a91dd0edca12557773a7763
SHA512

4dc04f30ee1a2631a34012aa374367fef8c4f20315169c8cb8cac08cc52cfc186b4346dbba827417d16ea38f860648eade75d035e3631f0f16ba6c3b7e31d719
SSDEEP

24576:j2T38ElepoawixcPMAVoU3hbvJUuxN01qhMx8mx4tVkp:CDGwiy06o0bzrn2x8W4Pg

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4092-134-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-135-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-136-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-137-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-139-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-141-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-144-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-146-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-147-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-148-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-149-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-150-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-151-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-154-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-155-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-156-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-157-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-158-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-159-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-160-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-161-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-162-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	360realpro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	360realpro.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4092	360realpro.exe
4092	360realpro.exe
4092	360realpro.exe
4092	360realpro.exe

C:\Users\Admin\AppData\Local\Temp\360realpro.exe
"C:\Users\Admin\AppData\Local\Temp\360realpro.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4092-133-0x00000000022B0000-0x0000000002385000-memory.dmp

Filesize
852KB

Download
memory/4092-134-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-135-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-136-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-137-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-139-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-141-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-144-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-145-0x00000000022B0000-0x0000000002385000-memory.dmp

Filesize
852KB

Download
memory/4092-146-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-147-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-148-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-149-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-150-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-151-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-154-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-155-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-156-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-157-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-158-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-159-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-160-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-161-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-162-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing