troldesh | 441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Size

1020KB
MD5

496f86f951e1dbd3c4534d51a5297668
SHA1

1199c5f30f5724841905cbdb9787649d15aae3d5
SHA256

8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621
SHA512

382abc596081ca5d0fdea39b12afe433e446cd50f59e4abca818162d96e46465beb1cda631109083071e7c050af6bfcf867be41d02c1e2ebe5dd99f61f45d510
SSDEEP

24576:es0fVWVbd8fKT0KqTAFFCa/2yDEmdvAkomBbOsn51D:es0fVWVR8fKTeU1imBbl51D

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral18/memory/2188-6-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-8-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-14-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-15-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-16-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-17-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-18-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-19-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-20-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-21-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-24-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-25-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-26-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-27-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-28-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-29-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-30-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral18/memory/2188-31-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
Token: SeShutdownPrivilege	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2980	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe	28
PID 2188 wrote to memory of 2980	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe	28
PID 2188 wrote to memory of 2980	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe	28
PID 2188 wrote to memory of 2980	2188	8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe	28

C:\Users\Admin\AppData\Local\Temp\8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe
"C:\Users\Admin\AppData\Local\Temp\8b04af13b729b0634b1a3c83e5758f25aecb708480bf2e3df524e889b305c621.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2188-0-0x0000000002230000-0x0000000002294000-memory.dmp

Filesize
400KB

Download
memory/2188-1-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2188-2-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2188-3-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2188-4-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2188-5-0x0000000002230000-0x0000000002294000-memory.dmp

Filesize
400KB

Download
memory/2188-6-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-8-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-13-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2188-14-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-15-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-16-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-17-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-18-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-19-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-20-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-21-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-24-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-25-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-26-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-27-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-28-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-29-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-30-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2188-31-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download