analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

l.rar.zip

Full analysis: https://app.any.run/tasks/2354ae62-aa8f-4521-8eee-9b66f8246e18
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: August 13, 2019, 17:11:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
troldesh
shade
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

1CCE46312ACCEEAF9BAAF81F42C660FE

SHA1:

4AC7DE6F5818A5C1E60E9CBF69DBB94E899E9AA4

SHA256:

35BB0603E378B5046356477BF75DB1E7B2E4C385D1A5D9A7184636726E391698

SSDEEP:

192:jDCjGwSNlh7GkD6OkbXyuU/qe/OGW5uVDoZrYWZb+1o7mTFBgS:HGwlh7vxkbXA/qeG9sBoZUDJBz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radB3CF6.tmp (PID: 272)
    • Changes the autorun value in the registry

      • radB3CF6.tmp (PID: 272)
    • TROLDESH was detected

      • radB3CF6.tmp (PID: 272)
  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 3600)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2276)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3588)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2276)
      • radB3CF6.tmp (PID: 272)
    • Creates files in the program directory

      • radB3CF6.tmp (PID: 272)
    • Application launched itself

      • WinRAR.exe (PID: 2160)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • radB3CF6.tmp (PID: 272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH radb3cf6.tmp

Process information

PID
CMD
Path
Indicators
Parent process
2160"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\l.rar.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3600"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2160.33421\Корнилов135.rarC:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2276"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3600.34342\Информация о заказе.2019-0812.docx.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3588"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radB3CF6.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
272C:\Users\admin\AppData\Local\Temp\radB3CF6.tmpC:\Users\admin\AppData\Local\Temp\radB3CF6.tmp
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 029
Read events
980
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
272radB3CF6.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
272radB3CF6.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
2160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2160.33421\Корнилов135.rarcompressed
MD5:85F06568A548F2ED6650200D5F0D4314
SHA256:AC297C1DB48C21E511643782287C324E47BADEDE06015FD60A9F3A4F6309BFE6
2276WScript.exeC:\Users\admin\AppData\Local\Temp\radB3CF6.tmpexecutable
MD5:7FBA80A5223B30984B1599BB67720479
SHA256:300F057F73EF8699E6C669893977D431EDA48177E8B3794EEC7BA5D55659CFE0
272radB3CF6.tmpC:\ProgramData\Windows\csrss.exeexecutable
MD5:7FBA80A5223B30984B1599BB67720479
SHA256:300F057F73EF8699E6C669893977D431EDA48177E8B3794EEC7BA5D55659CFE0
2276WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\1c[1].jpgexecutable
MD5:7FBA80A5223B30984B1599BB67720479
SHA256:300F057F73EF8699E6C669893977D431EDA48177E8B3794EEC7BA5D55659CFE0
272radB3CF6.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:3A15174B7518F4207B583844D7CEA7E9
SHA256:DF34DCCC0008B73796998F1FE80747CE1F25F48692DF5394BECB8E5620FB763A
3600WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3600.34342\Информация о заказе.2019-0812.docx.jstext
MD5:AD434C7FA402D6EE06D3A24CA7387003
SHA256:59AA4DABFA629829013E2348E1A90C1D64F575E1FF79AB20DD49912B136D850A
272radB3CF6.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensustext
MD5:45A510A4137EF04D0D510794B08BEBC6
SHA256:91E8C382F2B54EF76A6C9103BC1A4F6FA3DA021E150316BCBE1933B96931E91F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
272
radB3CF6.tmp
208.83.223.34:80
Applied Operations, LLC
US
malicious
272
radB3CF6.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
2276
WScript.exe
192.227.118.7:80
www.eletrotecsolucoes.com
Cloud South
US
malicious

DNS requests

Domain
IP
Reputation
www.eletrotecsolucoes.com
  • 192.227.118.7
malicious

Threats

PID
Process
Class
Message
2276
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2276
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2276
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
272
radB3CF6.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 190
272
radB3CF6.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
272
radB3CF6.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2 ETPRO signatures available at the full report
No debug info