troldesh | b1f13a9ef3da3c9bd2cfd0fcfd7368b48346a6995a91dd0edca12557773a7763

Analysis

max time kernel
151s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360realpro.exe
Size

1.5MB
MD5

6f4a3bce5a21f15c57b1fb175048a374
SHA1

0c6fbba46356f5ed4a11b593fafd6cb89ee95038
SHA256

b1f13a9ef3da3c9bd2cfd0fcfd7368b48346a6995a91dd0edca12557773a7763
SHA512

4dc04f30ee1a2631a34012aa374367fef8c4f20315169c8cb8cac08cc52cfc186b4346dbba827417d16ea38f860648eade75d035e3631f0f16ba6c3b7e31d719
SSDEEP

24576:j2T38ElepoawixcPMAVoU3hbvJUuxN01qhMx8mx4tVkp:CDGwiy06o0bzrn2x8W4Pg

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4092-134-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-135-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-136-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-137-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-139-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-141-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-144-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-146-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-147-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-148-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-149-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-150-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-151-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-154-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-155-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-156-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-157-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-158-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-159-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-160-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-161-0x0000000000400000-0x0000000000608000-memory.dmp	upx
behavioral2/memory/4092-162-0x0000000000400000-0x0000000000608000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	360realpro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	360realpro.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4092	360realpro.exe
4092	360realpro.exe
4092	360realpro.exe
4092	360realpro.exe

C:\Users\Admin\AppData\Local\Temp\360realpro.exe
"C:\Users\Admin\AppData\Local\Temp\360realpro.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4092

Network

DNS

123.108.74.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

123.108.74.40.in-addr.arpa

IN PTR

Response
DNS

9.193.25.171.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.193.25.171.in-addr.arpa

IN PTR

Response

9.193.25.171.in-addr.arpa

IN PTR

maatuska4711se
DNS

133.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

203.151.224.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.151.224.20.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

189.40.188.131.in-addr.arpa

Remote address:

8.8.8.8:53

Request

189.40.188.131.in-addr.arpa

IN PTR

Response

189.40.188.131.in-addr.arpa

IN PTR

despari informatikuni-erlangende

93.184.221.240:80

260 B
5
127.0.0.1:49750

360realpro.exe
171.25.193.9:80

www.ppsregbzs7bn353.com

tls

360realpro.exe

3.1kB
6.2kB
12
10
13.69.239.73:443

322 B
7
40.125.122.176:443

260 B
5
8.238.178.254:80

322 B
7
8.238.178.254:80

322 B
7
8.238.178.254:80

322 B
7
173.223.113.164:443

322 B
7
173.223.113.131:80

322 B
7
131.253.33.203:80

322 B
7
40.125.122.176:443

260 B
5
93.184.221.240:80

322 B
7
40.125.122.176:443

260 B
5
40.125.122.176:443

260 B
5
40.125.122.176:443

260 B
5
131.188.40.189:443

www.d5o5pzjnzqzr.com

tls

360realpro.exe

3.1kB
5.8kB
12
12
40.125.122.176:443

156 B
3

8.8.8.8:53

123.108.74.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

123.108.74.40.in-addr.arpa
8.8.8.8:53

9.193.25.171.in-addr.arpa

dns

71 B
101 B
1
1

DNS Request

9.193.25.171.in-addr.arpa
8.8.8.8:53

133.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

133.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

203.151.224.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

203.151.224.20.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

189.40.188.131.in-addr.arpa

dns

73 B
121 B
1
1

DNS Request

189.40.188.131.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4092-133-0x00000000022B0000-0x0000000002385000-memory.dmp

Filesize
852KB

Download
memory/4092-134-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-135-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-136-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-137-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-139-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-141-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-144-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-145-0x00000000022B0000-0x0000000002385000-memory.dmp

Filesize
852KB

Download
memory/4092-146-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-147-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-148-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-149-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-150-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-151-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-154-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-155-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-156-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-157-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-158-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-159-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-160-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-161-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/4092-162-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.