Malware Analysis Report

2024-09-22 12:37

Sample ID 240417-sbaasadb62
Target 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample
SHA256 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38
Tags
troldesh discovery persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38

Threat Level: Known bad

The file 01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.sample was found to be: Known bad.

Malicious Activity Summary

troldesh discovery persistence ransomware spyware stealer trojan upx

Troldesh, Shade, Encoder.858

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-17 14:56

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 14:56

Reported

2024-04-17 17:46

Platform

win7-20240221-en

Max time kernel

367s

Max time network

369s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49194 tcp
NL 194.109.206.212:443 tcp
DE 131.188.40.189:443 tcp
US 128.31.0.39:9101 tcp

Files

memory/2784-0-0x0000000000610000-0x00000000006E5000-memory.dmp

memory/2784-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2784-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2784-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2784-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2784-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2784-6-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2784-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2784-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2784-12-0x0000000000610000-0x00000000006E5000-memory.dmp

memory/2784-13-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-17 14:56

Reported

2024-04-17 17:46

Platform

win10-20240404-en

Max time kernel

590s

Max time network

502s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49788 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 154.35.32.5:443 tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp

Files

memory/5040-0-0x0000000002250000-0x0000000002325000-memory.dmp

memory/5040-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-13-0x0000000002250000-0x0000000002325000-memory.dmp

memory/5040-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/5040-72-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-17 14:56

Reported

2024-04-17 17:47

Platform

win10v2004-20240412-en

Max time kernel

592s

Max time network

460s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
DE 193.23.244.244:443 tcp
AT 86.59.21.38:443 tcp
N/A 127.0.0.1:57067 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 163.126.19.2.in-addr.arpa udp
US 8.8.8.8:53 122.140.123.92.in-addr.arpa udp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 208.83.223.34:80 tcp

Files

memory/1744-0-0x00000000022E0000-0x00000000023B5000-memory.dmp

memory/1744-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-13-0x00000000022E0000-0x00000000023B5000-memory.dmp

memory/1744-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-21-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/1744-72-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-17 14:56

Reported

2024-04-17 17:47

Platform

win11-20240412-en

Max time kernel

612s

Max time network

505s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49735 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
SG 76.73.17.194:9090 tcp
US 208.83.223.34:80 tcp

Files

memory/3584-0-0x0000000002470000-0x0000000002545000-memory.dmp

memory/3584-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-6-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-9-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-13-0x0000000002470000-0x0000000002545000-memory.dmp

memory/3584-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3584-72-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 14:56

Reported

2024-04-17 17:45

Platform

win10v2004-20240412-en

Max time kernel

591s

Max time network

494s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe

"C:\Users\Admin\AppData\Local\Temp\01b654c15c38a907d9966a5c1515fa201472ef1e3b831062d283e6cec2763e38.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 232.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 60.166.213.23.in-addr.arpa udp
N/A 127.0.0.1:59415 tcp
SG 76.73.17.194:9090 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
US 208.83.223.34:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 154.35.32.5:443 tcp
US 128.31.0.39:9101 tcp

Files

memory/384-0-0x00000000023B0000-0x0000000002485000-memory.dmp

memory/384-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-13-0x00000000023B0000-0x0000000002485000-memory.dmp

memory/384-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/384-72-0x0000000000400000-0x0000000000608000-memory.dmp