troldesh | 3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816

Resubmissions

18-03-2024 13:43

240318-q1nhlaag4w 10

Analysis

max time kernel
591s
max time network
452s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14-04-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
Size

947KB
MD5

39217b125403ff7c755622ef9bbef974
SHA1

9fc607b7c17919c83999bdd119e9cd6bf413101a
SHA256

3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816
SHA512

1252ea94931eaf4426ca1eb94a070645238775c447a09286109fe894c569de29ca502882a0fa34e97e09109c43c486a3aa32081e3a3afef0b6557db59c71fc50
SSDEEP

12288:3+Zn/gJtKaNIBpB+iMMOD30ZnZ47m0T3JF9j3GOF0l7B2FzqL2aZa7rf58bs:3+RYeaNILZi/JDLG60y1aZvs

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2276-5833-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5836-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5838-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5841-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5843-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5844-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5845-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5846-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5847-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5848-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5851-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5852-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5853-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5854-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5855-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5856-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5857-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5858-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5859-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5860-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5861-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5862-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5863-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5864-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5865-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5866-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5867-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5868-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5869-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5870-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5871-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5872-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5873-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5874-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5875-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5876-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5877-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5878-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5879-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5880-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5881-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5882-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5883-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5884-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5885-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5886-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5887-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5888-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5889-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5890-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5891-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5892-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5893-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5894-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5895-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5896-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5897-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5898-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5899-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5900-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5901-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5902-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5903-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2276-5904-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2276	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
2276	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
2276	3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe

C:\Users\Admin\AppData\Local\Temp\3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe
"C:\Users\Admin\AppData\Local\Temp\3c0fe521f6a9cfbfabc1f27a1a64dfc081a63aaaf2a6ce8cd831f6251ee85816.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\catroot2\dberr.txt

Filesize
11KB

MD5
40654d5298cc23655aba9288c545252a

SHA1
40f5439fcbf5495991de5bf3fd469e8081509594

SHA256
1c6d4f717fea73c21b76cfeb05b4d7df62023c1d38c70f2409b111f573cc8886

SHA512
d3e33ab2491d3d9d26d7077d0de449d12f5e8d7d19088645e9b1f86d6ca7a54b1e25cdeb4b034e4647fac02c4af23f6c9309c283dda0ed5afa64002ccc394e3a

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
87KB

MD5
3e719b2e270df156a18c053e0a84aabb

SHA1
66050f3b399c2af8e33c72dc89faff17a0bb36d5

SHA256
18b3e1d62283b16b2b6a84464b067f26f2278a0c6a5297eb72ad69092b8935cc

SHA512
dabc9431d227c7ed74d17c15ab4a786204bd01f523306acb78e77549e2aa3dc0e8f6863a5731e11efab12ea3d008e049177710997400064b583dff405b0736db

Download Submit
memory/2276-0-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5829-0x0000000002580000-0x0000000002690000-memory.dmp

Filesize
1.1MB

Download
memory/2276-5830-0x0000000003670000-0x0000000003738000-memory.dmp

Filesize
800KB

Download
memory/2276-5831-0x0000000003670000-0x0000000003738000-memory.dmp

Filesize
800KB

Download
memory/2276-5833-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5832-0x0000000003670000-0x0000000003738000-memory.dmp

Filesize
800KB

Download
memory/2276-5834-0x0000000003670000-0x0000000003738000-memory.dmp

Filesize
800KB

Download
memory/2276-5836-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5838-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5841-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5842-0x0000000002580000-0x0000000002690000-memory.dmp

Filesize
1.1MB

Download
memory/2276-5843-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5844-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5845-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5846-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5847-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5848-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5851-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5852-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5853-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5854-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5855-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5856-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5857-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5858-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5859-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5860-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5861-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5862-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5863-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5864-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5865-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5866-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5867-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5868-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5869-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5870-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5871-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5872-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5873-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5874-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5875-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5876-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5877-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5878-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5879-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5880-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5881-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5882-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5883-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5884-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5885-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5886-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5887-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5888-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5889-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5890-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5891-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5892-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5893-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5894-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5895-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5896-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5897-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5898-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5899-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5900-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5901-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5902-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5903-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2276-5904-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download