Malware Analysis Report

2024-09-22 12:39

Sample ID 240417-persfsfh4x
Target c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856
SHA256 c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856
Tags
troldesh persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856

Threat Level: Known bad

The file c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856 was found to be: Known bad.

Malicious Activity Summary

troldesh persistence ransomware trojan upx

Troldesh, Shade, Encoder.858

UPX packed file

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-17 12:14

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 12:14

Reported

2024-04-17 16:39

Platform

win10-20240404-en

Max time kernel

315s

Max time network

435s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-81807878-2351072935-4259904108-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Network

Country Destination Domain Proto
US 128.31.0.39:9101 tcp
N/A 127.0.0.1:49779 tcp
US 154.35.32.5:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp

Files

memory/1328-0-0x0000000000400000-0x000000000060B000-memory.dmp

memory/1328-1-0x0000000002310000-0x00000000023DE000-memory.dmp

memory/1328-2-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1328-3-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1328-4-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1328-5-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1328-6-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1328-10-0x0000000000400000-0x000000000060B000-memory.dmp

memory/1328-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 12:14

Reported

2024-04-17 16:39

Platform

win7-20240221-en

Max time kernel

489s

Max time network

491s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe N/A

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49198 tcp
DE 193.23.244.244:443 tcp
US 208.83.223.34:80 tcp
SG 76.73.17.194:9090 tcp
AT 86.59.21.38:443 tcp

Files

memory/2844-0-0x0000000000400000-0x000000000060B000-memory.dmp

memory/2844-1-0x0000000000300000-0x00000000003CE000-memory.dmp

memory/2844-3-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2844-2-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2844-4-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2844-6-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2844-5-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2844-10-0x0000000000400000-0x000000000060B000-memory.dmp

memory/2844-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-17 12:14

Reported

2024-04-17 16:40

Platform

win10-20240319-en

Max time kernel

588s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49795 tcp
SG 76.73.17.194:9090 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 186.110.86.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

memory/4896-0-0x0000000000400000-0x000000000060B000-memory.dmp

memory/4896-1-0x00000000022D0000-0x000000000239E000-memory.dmp

memory/4896-2-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4896-3-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4896-4-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4896-5-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4896-6-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4896-10-0x0000000000400000-0x000000000060B000-memory.dmp

memory/4896-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-17 12:14

Reported

2024-04-17 16:42

Platform

win10v2004-20240412-en

Max time kernel

492s

Max time network

564s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 194.109.206.212:443 tcp
N/A 127.0.0.1:62344 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
SG 76.73.17.194:9090 tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp

Files

memory/6096-0-0x0000000000400000-0x000000000060B000-memory.dmp

memory/6096-1-0x0000000000AF0000-0x0000000000BBE000-memory.dmp

memory/6096-2-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/6096-3-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/6096-4-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/6096-5-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/6096-6-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/6096-10-0x0000000000400000-0x000000000060B000-memory.dmp

memory/6096-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-17 12:14

Reported

2024-04-17 16:43

Platform

win11-20240412-en

Max time kernel

446s

Max time network

452s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4041115548-3858121278-1660933110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

"C:\Users\Admin\AppData\Local\Temp\c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49759 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 208.83.223.34:80 tcp
SE 171.25.193.9:80 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 194.109.206.212:443 tcp

Files

memory/3192-0-0x0000000000400000-0x000000000060B000-memory.dmp

memory/3192-1-0x0000000002470000-0x000000000253E000-memory.dmp

memory/3192-2-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3192-3-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3192-4-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3192-5-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3192-6-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3192-10-0x0000000000400000-0x000000000060B000-memory.dmp

memory/3192-11-0x0000000000400000-0x00000000005DE000-memory.dmp