Malware Analysis Report

2024-09-22 12:39

Sample ID 240417-skhcrafa4s
Target 02e8c7af3724ff535da627197920ad14.exe
SHA256 ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c
Tags
troldesh discovery persistence ransomware trojan upx spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed801a3e54843afe989aadd69cdab5e6fbf00e8e02742f354519b4b16de8f31c

Threat Level: Known bad

The file 02e8c7af3724ff535da627197920ad14.exe was found to be: Known bad.

Malicious Activity Summary

troldesh discovery persistence ransomware trojan upx spyware stealer

Troldesh, Shade, Encoder.858

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-17 15:10

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-17 15:10

Reported

2024-04-17 19:31

Platform

win10v2004-20240226-en

Max time kernel

602s

Max time network

608s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:49831 tcp
NL 194.109.206.212:443 tcp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
US 8.8.8.8:53 18.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 81.166.213.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 60.166.213.23.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 64.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 81.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.90.14.23.in-addr.arpa udp
BE 23.14.90.75:80 tcp

Files

memory/2428-0-0x0000000002300000-0x00000000023D5000-memory.dmp

memory/2428-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-6-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-9-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-13-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-14-0x0000000002300000-0x00000000023D5000-memory.dmp

memory/2428-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-20-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-21-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2428-71-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-17 15:10

Reported

2024-04-17 19:32

Platform

win11-20240412-en

Max time kernel

591s

Max time network

502s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4041115548-3858121278-1660933110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
N/A 127.0.0.1:49776 tcp
US 208.83.223.34:80 tcp
NL 194.109.206.212:443 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 154.35.32.5:443 tcp
DE 193.23.244.244:443 tcp

Files

memory/3024-0-0x0000000002320000-0x00000000023F5000-memory.dmp

memory/3024-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-13-0x0000000002320000-0x00000000023F5000-memory.dmp

memory/3024-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/3024-72-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 15:10

Reported

2024-04-17 19:30

Platform

win10-20240404-en

Max time kernel

609s

Max time network

625s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49768 tcp
US 208.83.223.34:80 tcp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 81.166.213.23.in-addr.arpa udp

Files

memory/2212-0-0x0000000000710000-0x00000000007E5000-memory.dmp

memory/2212-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-8-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-13-0x0000000000710000-0x00000000007E5000-memory.dmp

memory/2212-14-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2212-72-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 15:10

Reported

2024-04-17 19:30

Platform

win7-20240221-en

Max time kernel

491s

Max time network

493s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

Network

Country Destination Domain Proto
US 128.31.0.39:9101 tcp
N/A 127.0.0.1:49193 tcp
US 208.83.223.34:80 tcp
SG 76.73.17.194:9090 tcp
DE 193.23.244.244:443 tcp

Files

memory/2908-0-0x0000000002400000-0x00000000024D5000-memory.dmp

memory/2908-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2908-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2908-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2908-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2908-6-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2908-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2908-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2908-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2908-12-0x0000000002400000-0x00000000024D5000-memory.dmp

memory/2908-13-0x0000000000400000-0x0000000000608000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-17 15:10

Reported

2024-04-17 19:30

Platform

win10-20240404-en

Max time kernel

592s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

Signatures

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe

"C:\Users\Admin\AppData\Local\Temp\02e8c7af3724ff535da627197920ad14.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49774 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
SG 76.73.17.194:9090 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 154.35.32.5:443 tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 81.166.213.23.in-addr.arpa udp

Files

memory/2304-0-0x00000000020B0000-0x0000000002185000-memory.dmp

memory/2304-1-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-2-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-5-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-4-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-3-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-7-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-11-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-12-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-13-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-14-0x00000000020B0000-0x0000000002185000-memory.dmp

memory/2304-15-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-16-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-17-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-18-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-19-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-22-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-23-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-24-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-25-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-26-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-27-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-28-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-29-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-30-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-31-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-32-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-33-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-34-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-35-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-36-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-37-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-38-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-39-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-40-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-41-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-42-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-43-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-44-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-45-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-46-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-47-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-48-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-49-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-50-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-51-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-52-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-53-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-54-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-55-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-56-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-57-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-58-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-59-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-60-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-61-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-62-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-63-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-64-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-65-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-66-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-67-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-68-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-69-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-70-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-71-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2304-72-0x0000000000400000-0x0000000000608000-memory.dmp