troldesh | 2564e6fcff82ffdd9e6bdcd89e15cf1b6389faaae2279975326eac70dedffffb

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scans46.scr
Size

904KB
MD5

b5cea1631da405d27fd932f6c0ee485d
SHA1

2e94efa7cfc5ec145f60686b939a43462e1a9cc5
SHA256

35b52d3ea2a913a3ba0b9b306c911e4804b12b1c61fc563ecf04a9e0903979b9
SHA512

7b03bab5df4839f08bd51223f38a37a7ed04a1167608db8bf4824c03b9d694196201d0ada3572fc340bdbc2b0b576cedc25eace6d8896f564ca1fb0f630b8d22
SSDEEP

24576:gb/Kqq2Bxvyw+vHnc+mkf0EkgINAiEHw+caL8c4cxAFq6LCaD8kHo:lqqbFvNmksEMNmtL8hVLCk8kHo

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Loads dropped DLL 1 IoCs

pid	Process
1460	Scans46.scr

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1448-7-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-11-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-8-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-12-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-14-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-16-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-13-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-19-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-20-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-21-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-22-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-23-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-26-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-27-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-28-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-29-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-30-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-31-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-32-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-33-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1448-34-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Scans46.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 1448	1460	Scans46.scr	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1448	Scans46.scr
1448	Scans46.scr

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1460	Scans46.scr

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1448	1460	Scans46.scr	28
PID 1460 wrote to memory of 1448	1460	Scans46.scr	28
PID 1460 wrote to memory of 1448	1460	Scans46.scr	28
PID 1460 wrote to memory of 1448	1460	Scans46.scr	28
PID 1460 wrote to memory of 1448	1460	Scans46.scr	28

C:\Users\Admin\AppData\Local\Temp\Scans46.scr
"C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\Scans46.scr
  "C:\Users\Admin\AppData\Local\Temp\Scans46.scr" /S
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi236A.tmp\System.dll

Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
memory/1448-7-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-8-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-12-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-14-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-16-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-13-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-19-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-20-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-21-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-22-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-23-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-26-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-27-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-28-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-29-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-30-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-31-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-32-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-33-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1448-34-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download