troldesh | 51b4b2b477d5a03789241c1f93304796c0a12ab93fa48ff08b6b1a42c462096c

Analysis

max time kernel
145s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scans53.scr
Size

920KB
MD5

413a810de39449d76506b8ef5c1ff203
SHA1

97b7fbe4daebed58ce1aacea16797e963695a999
SHA256

5d9da09172675f25ddc8419fc9c217df973fa86d7045d4b829a681a0201e7ace
SHA512

51a0fb77c15be511deeaf51ce8e73b55efc0ae62a6421075fe2137e37770041f992b525d8be02dbc5f2ee4c37fdd01ebb1ae0b1e2db438642e88ea42210b661b
SSDEEP

24576:mPvf+WUhGsDNGoknAXjUDEdz1HlqwHdZhfLb8iyW2nszt6kuFW:g+DxDNrmAtdxHNHdZhfLbhynsx6kuk

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Loads dropped DLL 1 IoCs

pid	Process
2860	Scans53.scr

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2960-7-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-11-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-12-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-8-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-16-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-13-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-14-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-19-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-20-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-21-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-22-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-23-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-26-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-27-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-28-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-29-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-30-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-31-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-32-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2960-33-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Scans53.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2960	2860	Scans53.scr	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2960	Scans53.scr
2960	Scans53.scr

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2860	Scans53.scr

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2960	2860	Scans53.scr	28
PID 2860 wrote to memory of 2960	2860	Scans53.scr	28
PID 2860 wrote to memory of 2960	2860	Scans53.scr	28
PID 2860 wrote to memory of 2960	2860	Scans53.scr	28
PID 2860 wrote to memory of 2960	2860	Scans53.scr	28
PID 2860 wrote to memory of 2960	2860	Scans53.scr	28
PID 2860 wrote to memory of 2960	2860	Scans53.scr	28
PID 2860 wrote to memory of 2960	2860	Scans53.scr	28

C:\Users\Admin\AppData\Local\Temp\Scans53.scr
"C:\Users\Admin\AppData\Local\Temp\Scans53.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\Scans53.scr
  "C:\Users\Admin\AppData\Local\Temp\Scans53.scr" /S
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy92FE.tmp\System.dll

Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
memory/2960-7-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-12-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-8-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-16-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-13-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-14-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-19-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-20-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-21-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-22-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-23-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-26-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-27-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-28-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-29-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-30-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-31-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-32-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2960-33-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download