analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

РљСѓР·СЊРјРёРЅ1.rar

Full analysis: https://app.any.run/tasks/83120064-3896-410a-a6c3-42e17f884fe6
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: August 13, 2019, 13:33:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
troldesh
shade
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

95B0370FDC65DB407E530B04CB1FBA49

SHA1:

AF21EAB74416350E57999CF72630BB237245DFEB

SHA256:

536F70A03C241D46137C627D945C65F805987ADA8A60C08FDA030A0EA85F4489

SSDEEP:

192:iPT/MG1VqqIwyS6UqE1Owuqaz++NRm6EQ7GHsbL47QblvgfMivgIK:iPbMUYRUq4RuB6SR0Q7GMbL4YlvYhK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radAEA19.tmp (PID: 3740)
    • Changes the autorun value in the registry

      • radAEA19.tmp (PID: 3740)
    • TROLDESH was detected

      • radAEA19.tmp (PID: 3740)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2076)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2076)
      • radAEA19.tmp (PID: 3740)
    • Executes scripts

      • WinRAR.exe (PID: 2632)
    • Starts application with an unusual extension

      • cmd.exe (PID: 1996)
    • Connects to unusual port

      • radAEA19.tmp (PID: 3740)
    • Creates files in the program directory

      • radAEA19.tmp (PID: 3740)
  • INFO

    • Reads settings of System Certificates

      • WScript.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH radaea19.tmp

Process information

PID
CMD
Path
Indicators
Parent process
2632"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\РљСѓР·СЊРјРёРЅ1.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2076"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2632.29242\Информация о заказе.2019-0812.docx.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1996"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radAEA19.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3740C:\Users\admin\AppData\Local\Temp\radAEA19.tmpC:\Users\admin\AppData\Local\Temp\radAEA19.tmp
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Total events
629
Read events
583
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3740radAEA19.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
2076WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\1c[1].jpgexecutable
MD5:5277094B3AC5FD50B70D62280E0B5C1F
SHA256:26EB6EBC5D7A0D9D55408C5137B076C674094350198A8FF4A50DECFB527A00A8
2076WScript.exeC:\Users\admin\AppData\Local\Temp\radAEA19.tmpexecutable
MD5:5277094B3AC5FD50B70D62280E0B5C1F
SHA256:26EB6EBC5D7A0D9D55408C5137B076C674094350198A8FF4A50DECFB527A00A8
3740radAEA19.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:C2C83D8F2D18989E284D235B117065D3
SHA256:A526185AA558E51F6F81ECA0374B2345AB59C48DBFA29BBC22149377C6043F0C
2632WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2632.29242\Информация о заказе.2019-0812.docx.jstext
MD5:6B4F11B6286A94100E160AD62246B3F7
SHA256:077C5E0656CBE98707BE9186C213D0E70F45513CDF6DB37FE515D062B2F71EF4
3740radAEA19.tmpC:\ProgramData\Windows\csrss.exeexecutable
MD5:5277094B3AC5FD50B70D62280E0B5C1F
SHA256:26EB6EBC5D7A0D9D55408C5137B076C674094350198A8FF4A50DECFB527A00A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3740
radAEA19.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
3740
radAEA19.tmp
76.73.17.194:9090
Cogent Communications
US
malicious
2076
WScript.exe
104.156.60.121:443
readsindia.com
HIVELOCITY VENTURES CORP
US
unknown

DNS requests

Domain
IP
Reputation
readsindia.com
  • 104.156.60.121
unknown

Threats

PID
Process
Class
Message
3740
radAEA19.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 190
No debug info