troldesh | 5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

General

Target

NoMoreRansom.zip
Size

916KB
MD5

f315e49d46914e3989a160bbcfc5de85
SHA1

99654bfeaad090d95deef3a2e9d5d021d2dc5f63
SHA256

5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7
SHA512

224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e
SSDEEP

24576:+FhIdZxByAl+XiqNk6n3DaeCTLD1yilc7KrBVw1lFVFDqE/zQRsAOfySS:AhAgo2ikhryLD1hcerklFVhqEMiAuySS

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Executes dropped EXE 2 IoCs

Processes:

[email protected][email protected]

pid process

4924 [email protected]
3644 [email protected]

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4924-4-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-6-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-5-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-7-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-12-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3644-14-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3644-15-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-16-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3644-17-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-20-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-21-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-22-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-23-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4924-26-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

[email protected][email protected]

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

[email protected][email protected]

pid	process
4924	[email protected]
4924	[email protected]
4924	[email protected]
4924	[email protected]
3644	[email protected]
3644	[email protected]
3644	[email protected]
3644	[email protected]

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description pid process

Token: SeRestorePrivilege 948 7zG.exe
Token: 35 948 7zG.exe
Token: SeSecurityPrivilege 948 7zG.exe
Token: SeSecurityPrivilege 948 7zG.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

948 7zG.exe

description	pid	process
Token: SeRestorePrivilege	948	7zG.exe
Token: 35	948	7zG.exe
Token: SeSecurityPrivilege	948	7zG.exe
Token: SeSecurityPrivilege	948	7zG.exe

pid	process
948	7zG.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.zip
1⤵
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5048

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\NoMoreRansom\" -spe -an -ai#7zMap14848:82:7zEvent28346
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:948

C:\Users\Admin\Desktop\NoMoreRansom\[email protected]
"C:\Users\Admin\Desktop\NoMoreRansom\[email protected]"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Users\Admin\Desktop\NoMoreRansom\[email protected]
"C:\Users\Admin\Desktop\NoMoreRansom\[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Admin\Desktop\NoMoreRansom\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
memory/3644-17-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3644-15-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3644-14-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-7-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-12-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-5-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-6-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-16-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-4-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-20-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-21-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-22-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-23-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4924-26-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads