General
-
Target
RNSM00327.7z
-
Size
3.7MB
-
Sample
241112-whnzasxhnp
-
MD5
b3af9816cd60148658c913a2e987f11a
-
SHA1
a112327ece8d0bf078c76497a5b3bb3b825e1d2c
-
SHA256
035689dbe90430303d04428eca5e0acae1fc79df2ee80cc802baabe6085ae3a2
-
SHA512
0936582c48b40ed62a061588ec7f807d41ff85a6e67535b1bbafae0dcaa58bbb9a7b5be2b0ccd6c64db86652e88727c1bfc4898a75ddca483c02b1faf6488fa2
-
SSDEEP
98304:7s6VlzLDXInXTtmVs3ZUfuvhdRtNWkfWzNXzG7OG/rF:wUvETX3ZxhBVGH+5
Malware Config
Targets
-
-
Target
RNSM00327.7z
-
Size
3.7MB
-
MD5
b3af9816cd60148658c913a2e987f11a
-
SHA1
a112327ece8d0bf078c76497a5b3bb3b825e1d2c
-
SHA256
035689dbe90430303d04428eca5e0acae1fc79df2ee80cc802baabe6085ae3a2
-
SHA512
0936582c48b40ed62a061588ec7f807d41ff85a6e67535b1bbafae0dcaa58bbb9a7b5be2b0ccd6c64db86652e88727c1bfc4898a75ddca483c02b1faf6488fa2
-
SSDEEP
98304:7s6VlzLDXInXTtmVs3ZUfuvhdRtNWkfWzNXzG7OG/rF:wUvETX3ZxhBVGH+5
Score10/10-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Renames multiple (323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Network Share Discovery
Attempt to gather information on host network.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1