troldesh | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

Resubmissions

11-11-2024 22:15

241111-16j3ga1mhk 10

27-08-2024 22:02

240827-1x1zmatepc 10

Analysis

max time kernel
140s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoMoreRansom.exe
Size

1.4MB
MD5

63210f8f1dde6c40a7f3643ccf0ff313
SHA1

57edd72391d710d71bead504d44389d0462ccec9
SHA256

2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512

87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
SSDEEP

12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score

10^/10

troldesh discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NoMoreRansom.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/964-1-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-2-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-3-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-4-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-5-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-11-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-12-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-13-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-14-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-17-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-18-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-19-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-20-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-21-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-22-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-23-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-24-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/964-25-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

NoMoreRansom.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NoMoreRansom.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

NoMoreRansom.exe

pid process

964 NoMoreRansom.exe
964 NoMoreRansom.exe
964 NoMoreRansom.exe
964 NoMoreRansom.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe

pid	process
964	NoMoreRansom.exe
964	NoMoreRansom.exe
964	NoMoreRansom.exe
964	NoMoreRansom.exe

C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-0-0x00000000023E0000-0x00000000024AE000-memory.dmp

Filesize
824KB

Download
memory/964-1-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-2-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-3-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-4-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-5-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-12-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-13-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-14-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-17-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-18-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-19-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-20-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-21-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-22-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-23-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-24-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/964-25-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download