troldesh | 3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816 | Triage

Resubmissions

18-03-2024 13:43

240318-q1nhlaag4w 10

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-04-2024 10:53

Sharing

Report Analysis Logs

General

Target

3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
Size

947KB
MD5

39217b125403ff7c755622ef9bbef974
SHA1

9fc607b7c17919c83999bdd119e9cd6bf413101a
SHA256

3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816
SHA512

1252ea94931eaf4426ca1eb94a070645238775c447a09286109fe894c569de29ca502882a0fa34e97e09109c43c486a3aa32081e3a3afef0b6557db59c71fc50
SSDEEP

12288:3+Zn/gJtKaNIBpB+iMMOD30ZnZ47m0T3JF9j3GOF0l7B2FzqL2aZa7rf58bs:3+RYeaNILZi/JDLG60y1aZvs

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2184-5837-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5841-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5842-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5845-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5848-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5850-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5851-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5852-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5853-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5854-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5855-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5858-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5859-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5860-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5861-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5862-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5863-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5864-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2184-5865-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2184	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
2184	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
2184	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

C:\Users\Admin\AppData\Local\Temp\3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
"C:\Users\Admin\AppData\Local\Temp\3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\catroot2\dberr.txt

Filesize
5KB

MD5
fd4bd9ccb3f8fce2d6d5d032a7a100be

SHA1
37ceaa45c6d21c7efc450989506f1caefcdf9261

SHA256
b0d20defb2de86144bf13fee3ede736b440fbe8c428cd2682baae40cc0e009ac

SHA512
8c802d83ed44ce4a54ef94c620b90a68085dd9fe17e38e5ceb4ef4eda8378b4d786441aa286c9a714166ec4268b36b882d78456b3c10674ef8a6c8b98fb179a1

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
192KB

MD5
dc56525a7294d86723202ec96bbbd179

SHA1
3c16127fb7afca7e251fa72f602aaa1318a108fb

SHA256
a0ca56d9ed91104a2e3db7d51f305b59f26f98b3a835621455b4c101bb183d59

SHA512
11421d433a209d1ca906cce4d3c69c1d13d34f5afd6c6fcbad276224652cc3802e85fa52cf8ac3af797c7df793882b67ec922eda97d945428be0eece782ef686

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
41KB

MD5
0c70ec2f0d1a8ed0b48eb378291801be

SHA1
b05754ab0d2a538bff0aef9498865672bf34b0a9

SHA256
912bc5bc801e1653b118bc7a049898354f09a5bb2cbbec8854d595333b6cc431

SHA512
f7d2add3ad3af3e494654c25c0c959cb4a81ec74702bb1c8259d959e60d1765b01635dbded6c70357de651f37472ce5e04879851f90423374cff33a7e71ccc0b

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
2KB

MD5
1d6ca5dba381a347f3d74a6e4fdd11b7

SHA1
c8d94c64eb990de617a7fa023d6f25ff4bb37d6c

SHA256
e553820e98fa36348e6d1e8d59fc19203d09c2e5cc80ec687ec3810843350f1c

SHA512
44f84331ab310cec3245b377c1bf1b8daf8cd17c0e4667c0f68b1c237317c61d506a1250de78ef7e422e8f45f386c85726f6501b2cf67ca8f617854716972c01

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
31KB

MD5
a8e7a8193febfd79c475ca30f031de4e

SHA1
592882b07aab2424253ae4d79bc90ae6e8742e18

SHA256
de923505fdb71a6139ac9e67962f9fa2a1692393d6f452b8e010eb363357d201

SHA512
a5e32ec9beef2ecb39cd40d829889019acb7efe7b308905a8015fd9e05eb4d211a2cffd91b7228717d8c5b3288a088425237e78b2104344a2a5738c41006966a

Download Submit
memory/2184-5845-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5829-0x0000000002110000-0x0000000002220000-memory.dmp

Filesize
1.1MB

Download
memory/2184-5830-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2184-5831-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2184-5832-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2184-5833-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2184-5834-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2184-5835-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2184-5838-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2184-5837-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5836-0x0000000002D40000-0x0000000002E08000-memory.dmp

Filesize
800KB

Download
memory/2184-5841-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5842-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-0-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5847-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/2184-5846-0x0000000002110000-0x0000000002220000-memory.dmp

Filesize
1.1MB

Download
memory/2184-5848-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5849-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2184-5850-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5851-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5852-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5853-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5854-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5855-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5858-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5859-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5860-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5861-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5862-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5863-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5864-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2184-5865-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download