Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://net.geslo.com...

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://net.geslo.com.ar

  • Sample

    250123-j6xj5a1nbz

Score
10/10
troldeshbootkitdiscoverypersistenceransomwaretrojanupx

Malware Config

Targets

    • Target

      http://net.geslo.com.ar

    Score
    10/10
    troldeshbootkitdiscoverypersistenceransomwaretrojanupx

    • Troldesh family

      troldesh

    • Troldesh, Shade, Encoder.858

      Troldesh is a ransomware spread by malspam.

      ransomwaretrojantroldesh

    • Renames multiple (409) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks