troldesh | 11ff52baee11330a7e323810621924871f0939195436f5834c45aab8749f75c1

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scans43.scr
Size

907KB
MD5

80c96b710a809cd0dc5d71ced520e343
SHA1

e628c2f5ca249987a860df0a5bd9225aff1f9553
SHA256

b38eb05b2bb722b2e9e4b6032645d07524da27629167578426918468aebf3d21
SHA512

0e7520e98435f96c4a3fee921d8468d1747308671911dfb6c9150acf978d6791e46831b1259d1a7a6bf1c3747836d79f8930931d2833f4554e5a84f7bb6f12f9
SSDEEP

12288:gb/bnp62fDpd0CsgoiLxgfGBQg4pHxR/76W6hiAomLGorkvzyv9o8UR7etQr7TCn:gb/bnoA3lsEQGrA/7B85qWkzG8r7HqN

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Loads dropped DLL 1 IoCs

pid	Process
1136	Scans43.scr

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-7-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-8-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-12-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-11-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-16-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-13-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-14-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-19-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-20-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-21-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-22-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-23-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-26-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-27-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-28-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-29-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-30-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-31-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-32-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1720-33-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Scans43.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1136 set thread context of 1720	1136	Scans43.scr	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1720	Scans43.scr
1720	Scans43.scr

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1136	Scans43.scr

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1720	1136	Scans43.scr	28
PID 1136 wrote to memory of 1720	1136	Scans43.scr	28
PID 1136 wrote to memory of 1720	1136	Scans43.scr	28
PID 1136 wrote to memory of 1720	1136	Scans43.scr	28
PID 1136 wrote to memory of 1720	1136	Scans43.scr	28

C:\Users\Admin\AppData\Local\Temp\Scans43.scr
"C:\Users\Admin\AppData\Local\Temp\Scans43.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\Scans43.scr
  "C:\Users\Admin\AppData\Local\Temp\Scans43.scr" /S
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsj9C61.tmp\System.dll

Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
memory/1720-7-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-8-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-12-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-16-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-13-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-14-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-19-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-20-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-21-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-22-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-23-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-26-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-27-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-28-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-29-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-30-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-31-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-32-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1720-33-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download