analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

vostok_zakaz.rar

Full analysis: https://app.any.run/tasks/ee8cb0c3-c8a4-4fdc-b56b-a12ec25c86bb
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: April 25, 2019, 12:32:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
troldesh
shade
evasion
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

3934A403478577B45F4CD02289FCC863

SHA1:

11C30D5F14A918E8BDD96A763E8AA561076DCE35

SHA256:

445AB6FBF5893627D31A0252740EB2ECCB29FC7A31B2983B48D2C7A928F95158

SSDEEP:

48:AJiBTd16sqR9f87Yvg6EMyuGObWcM+17dexyp:AJiBTdQsgg6cuYcd1xki

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 3736)
    • Changes the autorun value in the registry

      • rad916EC.tmp (PID: 1304)
    • Application was dropped or rewritten from another process

      • rad916EC.tmp (PID: 1304)
    • Actions looks like stealing of personal data

      • rad916EC.tmp (PID: 1304)
    • TROLDESH was detected

      • rad916EC.tmp (PID: 1304)
  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 2036)
    • Creates files in the user directory

      • WScript.exe (PID: 3736)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3736)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3896)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3736)
      • rad916EC.tmp (PID: 1304)
    • Adds / modifies Windows certificates

      • WScript.exe (PID: 3736)
    • Checks for external IP

      • rad916EC.tmp (PID: 1304)
    • Creates files in the program directory

      • rad916EC.tmp (PID: 1304)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • rad916EC.tmp (PID: 1304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH rad916ec.tmp vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2036"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\vostok_zakaz.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3736"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2036.8394\Подробности заказа АО Авиационная компания Восток.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3896"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad916EC.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1304C:\Users\admin\AppData\Local\Temp\rad916EC.tmpC:\Users\admin\AppData\Local\Temp\rad916EC.tmp
cmd.exe
User:
admin
Integrity Level:
MEDIUM
2744C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exerad916EC.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
658
Read events
599
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
5
Text files
24
Unknown types
1

Dropped files

PID
Process
Filename
Type
1304rad916EC.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
1304rad916EC.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
1304rad916EC.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
1304rad916EC.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
1304rad916EC.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
1304rad916EC.tmpC:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml
MD5:
SHA256:
1304rad916EC.tmpC:\Users\admin\AppData\Local\Skype\Apps\login\images\white-on-black\capslock_20x20.png
MD5:
SHA256:
1304rad916EC.tmpC:\Users\admin\AppData\Local\Opera\Opera\icons\http%3A%2F%2Fimg.imgsmail.ru%2Fr%2Ffavicon.png
MD5:
SHA256:
1304rad916EC.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensustext
MD5:27C2E7AAB33289C76DE64824E57FE4C9
SHA256:125DF6D8AFC1682CD423D691F9475A8A322073AA85A87D7E70665F0AB3570F80
1304rad916EC.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdesc-consensustext
MD5:27C2E7AAB33289C76DE64824E57FE4C9
SHA256:125DF6D8AFC1682CD423D691F9475A8A322073AA85A87D7E70665F0AB3570F80
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1304
rad916EC.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1304
rad916EC.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1304
rad916EC.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1304
rad916EC.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1304
rad916EC.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1304
rad916EC.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1304
rad916EC.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1304
rad916EC.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1304
rad916EC.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1304
rad916EC.tmp
GET
200
104.18.34.131:80
http://whatsmyip.net/
US
html
7.35 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1304
rad916EC.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
3736
WScript.exe
88.202.183.16:443
bodyfirstpreppd.ie
UK-2 Limited
GB
suspicious
1304
rad916EC.tmp
78.129.150.54:9001
iomart Cloud Services Limited.
GB
suspicious
3736
WScript.exe
178.63.20.162:443
www.saglikburada.site
Hetzner Online GmbH
DE
suspicious
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
1304
rad916EC.tmp
78.129.218.56:443
iomart Cloud Services Limited.
GB
suspicious
1304
rad916EC.tmp
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
1304
rad916EC.tmp
5.189.142.118:443
Contabo GmbH
DE
suspicious
1304
rad916EC.tmp
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
104.18.34.131:80
whatsmyip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.saglikburada.site
  • 178.63.20.162
suspicious
bodyfirstpreppd.ie
  • 88.202.183.16
suspicious
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
whatsmyip.net
  • 104.18.34.131
  • 104.18.35.131
shared

Threats

PID
Process
Class
Message
1304
rad916EC.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 124
1304
rad916EC.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
1304
rad916EC.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
1304
rad916EC.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
1304
rad916EC.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 525
1304
rad916EC.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588
1304
rad916EC.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 587
1304
rad916EC.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
1304
rad916EC.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
1304
rad916EC.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
23 ETPRO signatures available at the full report
No debug info