URL:

https://cryptobinary-options.tradetoolsfx.com/administrator/cache/ural_726171.php

Full analysis: https://app.any.run/tasks/85d55629-04ee-4ab2-9833-e7bec4f4b346
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 07:15:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
ransomware
troldesh
shade
Indicators:
MD5:

795424869AF6E1015957FC23FD075475

SHA1:

D618E09AAEA3196244F42F5D3390DD615FDE937F

SHA256:

5F337F1DA2E4982E9421B6A546BA12F5F3316B71215D02AD5C89EC8D6F64B378

SSDEEP:

3:N8K/JmWJfzbR3B5p6kTUnLVn:2K/kcX3Jcxn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 2964)

    • Application was dropped or rewritten from another process

      • radCB21B.tmp (PID: 2116)

    • Changes the autorun value in the registry

      • radCB21B.tmp (PID: 2116)

    • TROLDESH was detected

      • radCB21B.tmp (PID: 2116)

  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 1436)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 2964)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2964)
      • radCB21B.tmp (PID: 2116)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2964)

    • Starts application with an unusual extension

      • cmd.exe (PID: 932)

    • Creates files in the program directory

      • radCB21B.tmp (PID: 2116)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 900)

    • Application launched itself

      • iexplore.exe (PID: 900)

    • Creates files in the user directory

      • iexplore.exe (PID: 1708)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1708)
      • iexplore.exe (PID: 900)

    • Manual execution by user

      • WinRAR.exe (PID: 1436)

    • Dropped object may contain Bitcoin addresses

      • radCB21B.tmp (PID: 2116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH radcb21b.tmp

Process information

PID
CMD
Path
Indicators
Parent process
900"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
932"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radCB21B.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1436"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\ural.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1708"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:900 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2116C:\Users\admin\AppData\Local\Temp\radCB21B.tmpC:\Users\admin\AppData\Local\Temp\radCB21B.tmp
cmd.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
MEDIUM
Description:
Registry Defrag
Exit code:
0
Version:
5.0.0.14
Modules
Images
c:\users\admin\appdata\local\temp\radcb21b.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2964"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa1436.17542\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 480
Read events
1 337
Write events
136
Delete events
7

Modification events

(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{B85872C3-7DF3-11E9-B63D-5254004A04AF}
Value:
0
(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(900) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E30705000500180007000F0023003E00
Executable files
3
Suspicious files
3
Text files
13
Unknown types
4

Dropped files

PID
Process
Filename
Type
900iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
900iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
900iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF501347221FAEE4BE.TMP
MD5:
SHA256:
900iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE4169631B9C67A3B.TMP
MD5:
SHA256:
900iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B85872C3-7DF3-11E9-B63D-5254004A04AF}.dat
MD5:
SHA256:
900iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B85872C4-7DF3-11E9-B63D-5254004A04AF}.datbinary
MD5:
SHA256:
1708iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
2116radCB21B.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
1708iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PCFC6PMG\ural[1].zipcompressed
MD5:
SHA256:
2116radCB21B.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
4
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2964
WScript.exe
GET
301
95.216.12.141:80
http://kooolguru.com/wp-includes/ID3/1c.jpg
DE
suspicious
900
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
900
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1708
iexplore.exe
85.93.145.251:443
cryptobinary-options.tradetoolsfx.com
JSC Internet-Cosmos
RU
unknown
2964
WScript.exe
95.216.12.141:80
kooolguru.com
Hetzner Online GmbH
DE
suspicious
208.83.223.34:80
Applied Operations, LLC
US
malicious
2116
radCB21B.tmp
193.23.244.244:443
Chaos Computer Club e.V.
DE
malicious
2964
WScript.exe
188.165.53.185:443
www.moroccotours.info
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
cryptobinary-options.tradetoolsfx.com
  • 85.93.145.251
unknown
kooolguru.com
  • 95.216.12.141
unknown
www.moroccotours.info
  • 188.165.53.185
malicious

Threats

PID
Process
Class
Message
2116
radCB21B.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 273
2116
radCB21B.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://cryptobinary-options.tradetoolsfx.com/administrator/cache/ural_726171.php