General Info

File name

1c.exe

Full analysis
https://app.any.run/tasks/45d01733-b428-4aa8-a634-89d25d23b0ed
Verdict
Malicious activity
Analysis date
8/13/2019, 16:06:45
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

troldesh

shade

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

94f407e8615ebe091ccf5035197ea1ea

SHA1

89c8938057a1b0514e3805536ccf3d2eb4acb1e0

SHA256

14fe0fa7e16253e53ce4c25616e08006ad09330bea8df9161a47b2815cd83067

SSDEEP

24576:JAkh6SRcwxbc0x7A2JHQWP5Nx8ubFKD8L1QA/:JAe6Spxb9xc2JHXP3xBpD1Qw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • 1c.exe (PID: 284)
TROLDESH was detected
  • 1c.exe (PID: 284)
Creates files in the program directory
  • 1c.exe (PID: 284)
Executable content was dropped or overwritten
  • 1c.exe (PID: 284)
Dropped object may contain Bitcoin addresses
  • 1c.exe (PID: 284)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (35.8%)
.exe
|   Win64 Executable (generic) (31.7%)
.scr
|   Windows screen saver (15%)
.dll
|   Win32 Dynamic Link Library (generic) (7.5%)
.exe
|   Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:08:09 01:16:02+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
49152
InitializedDataSize:
1076224
UninitializedDataSize:
null
EntryPoint:
0x6dc7
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
14.0.1000.340
ProductVersionNumber:
14.0.1000.340
FileFlagsMask:
0x0017
FileFlags:
(none)
FileOS:
Windows NT 32-bit
ObjectFileType:
Unknown
FileSubtype:
null
LanguageCode:
German
CharacterSet:
Unicode
Comments:
@CompanyName
eUpSoftware:
ZFileDescription
eUpStartUpOptimizer:
<FileVersion
yrightAVGNetherlandsBV2011:
LLegalTrademarks
eUpUtilities:
LProductName
eUpUtilities2014:
@ProductVersion
Tag01000340:
D

Screenshots

Processes

Total processes
34
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start #TROLDESH 1c.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
284
CMD
"C:\Users\admin\AppData\Local\Temp\1c.exe"
Path
C:\Users\admin\AppData\Local\Temp\1c.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\1c.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll

Registry activity

Total events
31
Read events
28
Write events
3
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
284
1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
xi
906D0F2E2F604F839E04
284
1c.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Client Server Runtime Subsystem
"C:\ProgramData\Windows\csrss.exe"
284
1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
xVersion
4.0.0.1

Files activity

Executable files
1
Suspicious files
0
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
284
1c.exe
C:\ProgramData\Windows\csrss.exe
executable
MD5: 94f407e8615ebe091ccf5035197ea1ea
SHA256: 14fe0fa7e16253e53ce4c25616e08006ad09330bea8df9161a47b2815cd83067
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5~1\cached-certs
text
MD5: bf5d8353ff2374e574640ba86a3c6793
SHA256: a2f64145fafabde747d7403c73cea7e7af8c8deb4f8d734dc1ea7e3d431ccf0c
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 461099e0fbcff7eac479702c7f2c47dd
SHA256: 5a2055233395b6f4ecbb9db5547c34907672bc84d3ee39e7076fa4d1fe2280cd
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: e4597451a5d6666092fbcf3270336bd9
SHA256: 75a4f5bd8b9076c20cfa130c03d419451a03838e1d9735a1c23780d9af04af46
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: e6ccad149d23925136a6a4b4be53351d
SHA256: 8e64cd16e183840b6c90ae50c9118f2665e69421ad51ec7097ff56cf1b58f7a0
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdesc-consensus
text
MD5: c6829d7d5f0c1098cc1c9d24089e04b8
SHA256: d60bdbbb01e50c3846c1a35954e026fcb3ac7ed6850955c6757971542e7ecd8f
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
––
MD5:  ––
SHA256:  ––
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 55a3964e638f360a56f724b35c773548
SHA256: b8d3d9f0251fe2489f59018cb62b192fadcc52d8926a9acd194060af758c90f3
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
––
MD5:  ––
SHA256:  ––
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensus
text
MD5: c6829d7d5f0c1098cc1c9d24089e04b8
SHA256: d60bdbbb01e50c3846c1a35954e026fcb3ac7ed6850955c6757971542e7ecd8f
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
––
MD5:  ––
SHA256:  ––
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5~1\state
text
MD5: f4a16d7b3436659baeb79a2eb1c981a0
SHA256: 0502497c12bca257fd3f286a0c19741ce0c25ca2f3de4a8224243c8b74467306
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
––
MD5:  ––
SHA256:  ––
284
1c.exe
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 30452060922151121adb61136c4b254c
SHA256: 478c54161c44b965ed1dda35216489f4120cfc022dfe848aa4a03ea1d30979a5

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
11

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
284 1c.exe 171.25.193.9:80 Foreningen for digitala fri- och rattigheter SE suspicious
284 1c.exe 193.23.244.244:443 Chaos Computer Club e.V. DE suspicious
284 1c.exe 79.143.191.62:9001 Contabo GmbH DE suspicious
284 1c.exe 51.15.36.183:443 Online S.a.s. NL suspicious
284 1c.exe 173.71.141.89:9001 MCI Communications Services, Inc. d/b/a Verizon Business US suspicious

DNS requests

No DNS requests.

Threats

PID Process Class Message
284 1c.exe Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 190
284 1c.exe Misc activity ET POLICY TLS possible TOR SSL traffic
284 1c.exe Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection
284 1c.exe Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 281
284 1c.exe Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection
284 1c.exe Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 507
284 1c.exe Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 603
284 1c.exe Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 199
284 1c.exe Misc activity ET POLICY TLS possible TOR SSL traffic
284 1c.exe Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection
284 1c.exe Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection

Debug output strings

No debug info.