analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ItroublveTSC.v6.Fix.7.2_1.rar

Full analysis: https://app.any.run/tasks/8b34d5a8-896e-4138-babd-0a616e94790c
Verdict: Malicious activity
Analysis date: April 01, 2023, 19:10:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

8F43A4C325FD8E9A74FD95B981E47EB0

SHA1:

9B81F726258EDB058A976021FEF6BF80EA3B0D49

SHA256:

ACA29BB525C3551E04C4EB159A5E7531F4AEB84C51386DCD828793FC3A97079B

SSDEEP:

98304:h/Oeozvy8dptnsI9/JG4GRtqKCmp5Yj28AYwsrN7ZzHhlvnO6AQQMnTy:xT4vyetsI9/JMibrzZzHzKvp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ItroublveTSC.exe (PID: 1848)
      • RtkBtManServ.exe (PID: 2472)
      • fsdf.exe (PID: 1824)
    • Starts Visual C# compiler

      • MSBuild.exe (PID: 2500)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1920)
    • Actions looks like stealing of personal data

      • RtkBtManServ.exe (PID: 2472)
  • SUSPICIOUS

    • Reads the Internet Settings

      • ItroublveTSC.exe (PID: 1848)
      • wscript.exe (PID: 3912)
      • RtkBtManServ.exe (PID: 2472)
      • fsdf.exe (PID: 1824)
    • The process executes VB scripts

      • ItroublveTSC.exe (PID: 1848)
    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3912)
    • Executable content was dropped or overwritten

      • ItroublveTSC.exe (PID: 1848)
      • MSBuild.exe (PID: 2500)
      • csc.exe (PID: 2448)
      • cmd.exe (PID: 2392)
      • fsdf.exe (PID: 1824)
      • RtkBtManServ.exe (PID: 2472)
    • Executing commands from a ".bat" file

      • wscript.exe (PID: 3912)
    • Reads browser cookies

      • RtkBtManServ.exe (PID: 2472)
  • INFO

    • Reads Environment values

      • ItroublveTSC.exe (PID: 1848)
      • RtkBtManServ.exe (PID: 2472)
    • Checks supported languages

      • ItroublveTSC.exe (PID: 1848)
      • MSBuild.exe (PID: 2500)
      • csc.exe (PID: 2448)
      • cvtres.exe (PID: 3068)
      • fsdf.exe (PID: 1824)
      • RtkBtManServ.exe (PID: 2472)
    • Reads the computer name

      • ItroublveTSC.exe (PID: 1848)
      • MSBuild.exe (PID: 2500)
      • fsdf.exe (PID: 1824)
      • RtkBtManServ.exe (PID: 2472)
    • Manual execution by a user

      • ItroublveTSC.exe (PID: 1848)
      • fsdf.exe (PID: 1824)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1900)
    • The process checks LSA protection

      • ItroublveTSC.exe (PID: 1848)
      • MSBuild.exe (PID: 2500)
      • csc.exe (PID: 2448)
      • cvtres.exe (PID: 3068)
      • fsdf.exe (PID: 1824)
      • RtkBtManServ.exe (PID: 2472)
    • Reads the machine GUID from the registry

      • ItroublveTSC.exe (PID: 1848)
      • MSBuild.exe (PID: 2500)
      • csc.exe (PID: 2448)
      • cvtres.exe (PID: 3068)
      • fsdf.exe (PID: 1824)
      • RtkBtManServ.exe (PID: 2472)
    • Create files in a temporary directory

      • MSBuild.exe (PID: 2500)
      • cvtres.exe (PID: 3068)
      • ItroublveTSC.exe (PID: 1848)
      • csc.exe (PID: 2448)
      • fsdf.exe (PID: 1824)
      • RtkBtManServ.exe (PID: 2472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
10
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs itroublvetsc.exe wscript.exe no specs cmd.exe msbuild.exe csc.exe cvtres.exe no specs fsdf.exe rtkbtmanserv.exe

Process information

PID
CMD
Path
Indicators
Parent process
1900"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2_1.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
1920"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1848"C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2 (1)\ItroublveTSC.exe" C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2 (1)\ItroublveTSC.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ItroublveTSC
Version:
6.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\itroublvetsc.v6.fix.7.2 (1)\itroublvetsc.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
3912"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\bin_copy\compile.vbs" C:\Windows\System32\wscript.exeItroublveTSC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2392"C:\Windows\System32\cmd.exe" /c compile.batC:\Windows\System32\cmd.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2500C:/Windows/Microsoft.NET/Framework/v4.0.30319/msbuild.exe TSC.slnC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2448"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\admin\AppData\Local\Temp\tmp1142bbb637204390b66516b367beed90.rsp"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
MSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ole32.dll
3068C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES944C.tmp" "c:\Users\admin\AppData\Local\Temp\bin_copy\obj\Debug\CSCDD92D1B0EEDF427CB7332FE8BF17298.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
12.00.51209.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
1824"C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2 (1)\fsdf.exe" C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2 (1)\fsdf.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\itroublvetsc.v6.fix.7.2 (1)\fsdf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2472"C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe" Eb+2YsaQwteu3TZx6uflbg==C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe
fsdf.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RtkBtManServ
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rtkbtmanserv.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
17 468
Read events
17 276
Write events
176
Delete events
16

Modification events

(PID) Process:(1900) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1920) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
82
Suspicious files
60
Text files
128
Unknown types
22

Dropped files

PID
Process
Filename
Type
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\Binaries\RtkBtManServ.exeexecutable
MD5:88AB0BB59B0B20816A833BA91C1606D3
SHA256:F4FB42C8312A6002A8783E2A1AB4571EB89E92CD192B1A21E8C4582205C37312
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\App.configxml
MD5:13FF21470B63470978E08E4933EB8E56
SHA256:16286566D54D81C3721F7ECF7F426D965DE364E9BE2F9E628D7363B684B6FE6A
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\o.crprojtext
MD5:3551F612ED34F86EC42F1DE69F758101
SHA256:70E55A0723846040D90B664E300B58BBD7D6061EAABC79EAEB943DC5598CC373
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\Binaries\configbinary
MD5:1BA367D0F9AAC0F650E65AB7401776C0
SHA256:68C4EC552C98F3B5A4744E4EEFADD6364DC8075C2E718B7BCBFC76625AA60D03
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\obf\Confuser.Core.dllexecutable
MD5:6F3E120BAA644B4DC085A3DD3E183BCF
SHA256:4742104D8E47541ED998D22321717D288CD62682B56F56F4A69DC9BD99C9A6FB
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\packages\System.IO.Compression.ZipFile.4.3.0\.signature.p7sder
MD5:1CAF0E5AE358804C975D33C8381E7506
SHA256:517116CA9BB57682DA5460CE0BC3AE6BB35D6B0B2A6B70E6E18AABB409B05992
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\Digitallity.cstext
MD5:E96DB35E82B4088E0258E593A9DACE7F
SHA256:F880F91E5F46E3FB6589841556A97CBE79773385A1CBDE8676E3F071952662C8
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\obf\Confuser.DynCipher.dllexecutable
MD5:6EBC90E77623826E71DED623A296660B
SHA256:CDAD0A76F0D3F3E73FCDC6E5E6D98B0E88ADCC2353C54344375B80197A86FCF6
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\obf\CLI.exeexecutable
MD5:A6F83DA2BFE041D92FF79B9C238ED72E
SHA256:0B997165E348B17658BEF1E869881C37C79C2A9BB26E132AC4141EEFD5912652
1900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\obf\dnlib.dllexecutable
MD5:E61BAD0331819ED63CA3B0D537F7E1A1
SHA256:D8FC78217493FEBE82670C5A93FEB85AB86FC6A0387ABCB6E9165E0C0BB97000
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
itroublvehacker.gq
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gq Domain
No debug info