troldesh | 3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816

Resubmissions

18/03/2024, 13:43

240318-q1nhlaag4w 10

Analysis

max time kernel
292s
max time network
193s
platform
windows10-1703_x64
resource
win10-20240319-en
resource tags

arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
submitted
14/04/2024, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
Size

947KB
MD5

39217b125403ff7c755622ef9bbef974
SHA1

9fc607b7c17919c83999bdd119e9cd6bf413101a
SHA256

3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816
SHA512

1252ea94931eaf4426ca1eb94a070645238775c447a09286109fe894c569de29ca502882a0fa34e97e09109c43c486a3aa32081e3a3afef0b6557db59c71fc50
SSDEEP

12288:3+Zn/gJtKaNIBpB+iMMOD30ZnZ47m0T3JF9j3GOF0l7B2FzqL2aZa7rf58bs:3+RYeaNILZi/JDLG60y1aZvs

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1144-5835-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5845-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5856-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5857-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5870-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5871-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5880-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5881-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5882-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5885-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5886-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5887-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5888-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5889-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5890-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5891-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5892-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5893-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5894-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5895-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5896-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5897-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5898-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5899-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5900-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5901-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5902-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5903-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5904-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5905-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5906-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1144-5907-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4532	1144	WerFault.exe	71
7416	1144	WerFault.exe	71
6384	1144	WerFault.exe	71
6192	1144	WerFault.exe	71
5568	1144	WerFault.exe	71

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1144	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
1144	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
1144	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
1144	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
1144	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
1144	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

C:\Users\Admin\AppData\Local\Temp\3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
"C:\Users\Admin\AppData\Local\Temp\3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 960
  2⤵
  - Program crash
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1148
  2⤵
  - Program crash
  PID:7416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1180
  2⤵
  - Program crash
  PID:6384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1260
  2⤵
  - Program crash
  PID:6192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1080
  2⤵
  - Program crash
  PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\catroot2\dberr.txt

Filesize
13KB

MD5
a247355f39acbb4cd7d37443a3883e85

SHA1
02a596c47aaa9e98893bfc817be7d5bddda43ab2

SHA256
b23c21a837882eef0c556e3982c80ebd80eb59ca947a0b669aae0959ea50fcc6

SHA512
f8d23d5564f806119d513b7d540ce90a359c32a8803f3a14358ded979a9f2efa8cb6676ca8a5b82bca0586960163d86eeb01717a10f059012f4844378eb21385

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
20KB

MD5
9e914363190e1ff413d0a1cb7d0f97d2

SHA1
8fe5e34ebe5efc825e195629cf7fc4e6295617e4

SHA256
61e0218c8b78194b9a26d9dffb7552f17e396f6ddb6679e573c3176d667935ba

SHA512
fddb5521e2e250b739ac752198363c1071f627d87903faa16a9c90b2f36ed237fec8a9f2a0f084278e86e1deb538a3662fff0bd2ba3ace9e5e8b6e67cc65c65c

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
109KB

MD5
2bda040baa9996ab51081621f4210a29

SHA1
65e5ba5c5be8b70912a867c487e725e27c6c8754

SHA256
032f7923895797c08fa1348ed7c519a521455f7704a518476c24785ab1e58793

SHA512
4c3d93ec92152cb7ec7083accb0d7ed87a3a66b580408304fd8dc8a7edef3761d94259bada2afa28f2ebc88c1a76f62f853265427031739095010c7f44c66114

Download Submit
memory/1144-0-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5829-0x0000000002630000-0x0000000002740000-memory.dmp

Filesize
1.1MB

Download
memory/1144-5830-0x0000000002630000-0x0000000002740000-memory.dmp

Filesize
1.1MB

Download
memory/1144-5831-0x0000000002630000-0x0000000002740000-memory.dmp

Filesize
1.1MB

Download
memory/1144-5832-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5834-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5836-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5835-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5833-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5838-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5839-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5840-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5842-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/1144-5843-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5844-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5845-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5856-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5857-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5858-0x0000000002630000-0x0000000002740000-memory.dmp

Filesize
1.1MB

Download
memory/1144-5859-0x0000000002630000-0x0000000002740000-memory.dmp

Filesize
1.1MB

Download
memory/1144-5860-0x0000000002630000-0x0000000002740000-memory.dmp

Filesize
1.1MB

Download
memory/1144-5861-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5862-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5863-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5864-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5865-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5866-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5867-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5868-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5869-0x0000000002EC0000-0x0000000002F8F000-memory.dmp

Filesize
828KB

Download
memory/1144-5870-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5871-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5880-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5881-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5882-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5885-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5886-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5887-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5888-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5889-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5890-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5891-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5892-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5893-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5894-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5895-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5896-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5897-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5898-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5899-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5900-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5901-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5902-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5903-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5904-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5905-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5906-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1144-5907-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download