analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

1c.jpg

Full analysis: https://app.any.run/tasks/8b71ae99-6e3f-486f-801a-09948ba25a53
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: August 25, 2019, 20:40:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
troldesh
shade
evasion
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E73093B7A66DC2C6EFE20E4A21717883

SHA1:

A80AF9F28BE9DA286C050A63B2AE7D92857266B1

SHA256:

13A5794D88DD2A56E0EB4B6CF6BD2DB62DC1C3F51206B4BE4F39F01F54641995

SSDEEP:

24576:k/7TbYcDa6BSSEkmfSRmjNr0HmO0g9miDnP9GAK:Q7TajSENNO79FDPzK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • 1c.jpg.exe (PID: 3696)
    • TROLDESH was detected

      • 1c.jpg.exe (PID: 3696)
    • Deletes shadow copies

      • 1c.jpg.exe (PID: 3696)
    • Runs app for hidden code execution

      • 1c.jpg.exe (PID: 3696)
    • Dropped file may contain instructions of ransomware

      • 1c.jpg.exe (PID: 3696)
    • Actions looks like stealing of personal data

      • 1c.jpg.exe (PID: 3696)
    • Modifies files in Chrome extension folder

      • 1c.jpg.exe (PID: 3696)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 1c.jpg.exe (PID: 3696)
    • Creates files in the program directory

      • 1c.jpg.exe (PID: 3696)
    • Checks for external IP

      • 1c.jpg.exe (PID: 3696)
    • Creates files like Ransomware instruction

      • 1c.jpg.exe (PID: 3696)
    • Starts CMD.EXE for commands execution

      • 1c.jpg.exe (PID: 3696)
    • Creates files in the user directory

      • 1c.jpg.exe (PID: 3696)
    • Executed as Windows Service

      • vssvc.exe (PID: 3204)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3280)
  • INFO

    • Dropped object may contain URL to Tor Browser

      • 1c.jpg.exe (PID: 3696)
    • Dropped object may contain TOR URL's

      • 1c.jpg.exe (PID: 3696)
    • Dropped object may contain Bitcoin addresses

      • 1c.jpg.exe (PID: 3696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:08:17 01:04:13+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 48640
InitializedDataSize: 913920
UninitializedDataSize: -
EntryPoint: 0x6bd1
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.1.7601.17514
ProductVersionNumber: 6.1.7601.17514
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Resume From Hibernate boot application
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName: hiberrsm.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: hiberrsm.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7601.17514

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Aug-2019 23:04:13
Detected languages:
  • English - United States
CompanyName: Microsoft Corporation
FileDescription: Resume From Hibernate boot application
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName: hiberrsm.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: hiberrsm.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7601.17514

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 16-Aug-2019 23:04:13
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000BC44
0x0000BE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
4.83791
.rdata
0x0000D000
0x000D802A
0x000D8200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.98794
.data
0x000E6000
0x000019DC
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.82989
.rsrc
0x000E8000
0x0011F488
0x00005600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.40743

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.52543
964
UNKNOWN
English - United States
RT_VERSION
RESUME.XSL
3.38805
19820
UNKNOWN
English - United States
RT_HTML

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROLDESH 1c.jpg.exe vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
3696"C:\Users\admin\AppData\Local\Temp\1c.jpg.exe" C:\Users\admin\AppData\Local\Temp\1c.jpg.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Resume From Hibernate boot application
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2592C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exe1c.jpg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2412"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
1c.jpg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3204C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3280C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe1c.jpg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3648chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
106
Read events
84
Write events
22
Delete events
0

Modification events

(PID) Process:(3696) 1c.jpg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xi
Value:
906D0F2E2F604F839E04
(PID) Process:(3696) 1c.jpg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Client Server Runtime Subsystem
Value:
"C:\ProgramData\Windows\csrss.exe"
(PID) Process:(3696) 1c.jpg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xVersion
Value:
4.0.0.1
(PID) Process:(3696) 1c.jpg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xmail
Value:
1
(PID) Process:(3696) 1c.jpg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xmode
Value:
0
(PID) Process:(3696) 1c.jpg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xpk
Value:
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA8mn4F2LJ2xbiQ2U0nRya c1tR+wN6CcLUa3lCLO+4Hj4gGGvPGugPV/9l2cAkeQZahnqlgKG51eaFO1UYdmPs zyNfi9qlgFndoFL8XsxFHJ4C9BqqlIpD15pglgrubqX0lZGlI27dXh4bu3fA9zrI ULugLryqMmIId6MDIY2WalR+7Vpq8ATM6VN1/+CKBDEcdHeWsNScgxtKOVa20E60 qOWxzdUoCeMHgMr+Q8kzPQzreyejLbBZL9cXTxstXJVsA64ge/G71oZlLU7j2Ujp EHkXR4G0I5QBEQu62K0R+cz3FqxP6CN6Pm1MJb8XHkU54FYsVsLsk5nasUMUZ9Uq 5ikgVEO65k7bgwi9nGZsyDlWDOwbGuSRreLAVKeCDiO2jfSBOTH16gIyT9rE7UDj 6SRe2guJhe2sqwXpwgmTJsWffQmzg5vQwWrL4UXUASCWvtODBBTq8jGom9T5Aet/ gsLcsM1ozqI961wp6RZPO1WluzsxvpDT4bCJmc5D6dp/AgMBAAE= -----END PUBLIC KEY-----
(PID) Process:(3696) 1c.jpg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xstate
Value:
3
(PID) Process:(3696) 1c.jpg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xcnt
Value:
0
(PID) Process:(3696) 1c.jpg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xstate
Value:
4
(PID) Process:(3696) 1c.jpg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:shst
Value:
4
Executable files
1
Suspicious files
1 058
Text files
49
Unknown types
28

Dropped files

PID
Process
Filename
Type
36961c.jpg.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
36961c.jpg.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
36961c.jpg.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
36961c.jpg.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
36961c.jpg.exeC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
36961c.jpg.exeC:\Users\Public\Videos\Sample Videos\CWqzQjYOVmTvL-eLHf-uUTP2TVbTAQeF0tsQMDFAS9M=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
36961c.jpg.exeC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
36961c.jpg.exeC:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
MD5:
SHA256:
36961c.jpg.exeC:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
MD5:
SHA256:
36961c.jpg.exeC:\Users\Public\Pictures\Sample Pictures\Koala.jpg
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
30
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3696
1c.jpg.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3696
1c.jpg.exe
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3696
1c.jpg.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3696
1c.jpg.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3696
1c.jpg.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3696
1c.jpg.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3696
1c.jpg.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3696
1c.jpg.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3696
1c.jpg.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3696
1c.jpg.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3696
1c.jpg.exe
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
3696
1c.jpg.exe
163.172.53.84:443
Online S.a.s.
FR
suspicious
3696
1c.jpg.exe
193.70.43.20:443
OVH SAS
FR
suspicious
3696
1c.jpg.exe
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
3696
1c.jpg.exe
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
3696
1c.jpg.exe
185.22.172.48:9001
OOO Fishnet Communications
RU
suspicious
3696
1c.jpg.exe
104.18.34.131:80
whatsmyip.net
Cloudflare Inc
US
shared
104.18.34.131:80
whatsmyip.net
Cloudflare Inc
US
shared
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
3696
1c.jpg.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3696
1c.jpg.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3696
1c.jpg.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 127
3696
1c.jpg.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3696
1c.jpg.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 283
3696
1c.jpg.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 182
3696
1c.jpg.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 239
3696
1c.jpg.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3696
1c.jpg.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3696
1c.jpg.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
47 ETPRO signatures available at the full report
No debug info