Malware Analysis Report

2024-09-22 11:43

Sample ID 240415-nyfc4adf55
Target 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4
SHA256 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4
Tags
troldesh discovery persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4

Threat Level: Known bad

The file 3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4 was found to be: Known bad.

Malicious Activity Summary

troldesh discovery persistence ransomware spyware stealer trojan upx

Troldesh, Shade, Encoder.858

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-15 11:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 11:48

Reported

2024-04-15 11:54

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
N/A 127.0.0.1:61081 tcp
US 154.35.32.5:443 tcp
SG 76.73.17.194:9090 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/4692-0-0x0000000002390000-0x0000000002465000-memory.dmp

memory/4692-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-13-0x0000000002390000-0x0000000002465000-memory.dmp

memory/4692-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4692-29-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 11:48

Reported

2024-04-15 11:54

Platform

win7-20240215-en

Max time kernel

124s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49195 tcp
US 128.31.0.39:9101 tcp
NL 194.109.206.212:443 tcp
DE 193.23.244.244:443 tcp

Files

memory/1724-0-0x0000000001EC0000-0x0000000001F95000-memory.dmp

memory/1724-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-6-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-10-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1724-12-0x0000000001EC0000-0x0000000001F95000-memory.dmp

memory/1724-13-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-15 11:48

Reported

2024-04-15 11:54

Platform

win10-20240404-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3998431567-3716957556-781226098-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49791 tcp
US 208.83.223.34:80 tcp
US 154.35.32.5:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/4912-0-0x0000000002430000-0x0000000002505000-memory.dmp

memory/4912-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-6-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-13-0x0000000002430000-0x0000000002505000-memory.dmp

memory/4912-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/4912-29-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-15 11:48

Reported

2024-04-15 11:54

Platform

win10v2004-20240412-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:49780 tcp
US 128.31.0.39:9101 tcp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 9.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 154.35.32.5:443 tcp

Files

memory/1508-0-0x0000000002510000-0x00000000025E5000-memory.dmp

memory/1508-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-13-0x0000000002510000-0x00000000025E5000-memory.dmp

memory/1508-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1508-29-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-15 11:48

Reported

2024-04-15 11:54

Platform

win11-20240412-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe

"C:\Users\Admin\AppData\Local\Temp\3d4d462dbc7dbfd12af693f8176e9fd6814560ed763448fa75fa6dad026567f4.exe"

Network

Country Destination Domain Proto
SE 171.25.193.9:80 tcp
N/A 127.0.0.1:49734 tcp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
NL 194.109.206.212:443 tcp
US 8.8.8.8:53 udp

Files

memory/624-0-0x0000000002460000-0x0000000002535000-memory.dmp

memory/624-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-13-0x0000000002460000-0x0000000002535000-memory.dmp

memory/624-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/624-29-0x0000000000400000-0x0000000000608000-memory.dmp