analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Desktop.rar

Full analysis: https://app.any.run/tasks/55197e23-3ac3-458d-9905-29d4c375917a
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: January 17, 2019, 21:10:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
troldesh
shade
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AA97164D26F8A4ECE6C40CA98C10D894

SHA1:

A43538D989D57EF5BB8C082CAD500A4261116849

SHA256:

AD64FE4D1D7D5849386C93FDA65CCE9B19D6C646C9BD73F6A8268B726E500547

SSDEEP:

24576:Eevue6QgRyqViXh8bOYWxwZvK1OTlZcTi0uMzMyAbZpILWoCGLplQ82vBGdj:EevuFQlHXeW212ORMNAMjZ2ZUj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad24126.exe (PID: 3736)
      • rad24126.exe (PID: 4028)
      • rad24126.exe (PID: 3008)
      • Constructor.Win32.ChmBuilder.a.exe (PID: 3300)
      • Constructor.Win32.ChmBuilder.a.exe (PID: 2628)
      • Constructor.Win32.ChmBuilder.a.exe (PID: 2512)
      • Constructor.Win32.ChmBuilder.a.exe (PID: 3052)
      • Constructor.Win32.ChmBuilder.a.exe (PID: 2972)
    • TROLDESH was detected

      • rad24126.exe (PID: 3736)
      • rad24126.exe (PID: 4028)
    • Changes the autorun value in the registry

      • rad24126.exe (PID: 3736)
      • rad24126.exe (PID: 4028)
    • Loads dropped or rewritten executable

      • Constructor.Win32.ChmBuilder.a.exe (PID: 2628)
      • Constructor.Win32.ChmBuilder.a.exe (PID: 2972)
    • Changes settings of System certificates

      • IEInstal.exe (PID: 3592)
  • SUSPICIOUS

    • Creates files in the program directory

      • rad24126.exe (PID: 3736)
    • Executable content was dropped or overwritten

      • rad24126.exe (PID: 3736)
      • WinRAR.exe (PID: 3044)
      • WinRAR.exe (PID: 4044)
      • rad24126.exe (PID: 4028)
      • Constructor.Win32.ChmBuilder.a.exe (PID: 2628)
      • hh.exe (PID: 2992)
    • Creates files in the Windows directory

      • Constructor.Win32.ChmBuilder.a.exe (PID: 2628)
      • IEInstal.exe (PID: 2136)
    • Connects to unusual port

      • rad24126.exe (PID: 3736)
    • Adds / modifies Windows certificates

      • IEInstal.exe (PID: 3592)
    • Creates COM task schedule object

      • Constructor.Win32.ChmBuilder.a.exe (PID: 2628)
      • Constructor.Win32.ChmBuilder.a.exe (PID: 2972)
    • Reads internet explorer settings

      • hh.exe (PID: 2992)
      • hh.exe (PID: 3688)
      • hh.exe (PID: 3928)
    • Removes files from Windows directory

      • IEInstal.exe (PID: 2136)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • rad24126.exe (PID: 3736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
79
Monitored processes
20
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe rundll32.exe no specs #TROLDESH rad24126.exe winrar.exe constructor.win32.chmbuilder.a.exe no specs wermgr.exe no specs rad24126.exe no specs #TROLDESH rad24126.exe wermgr.exe no specs constructor.win32.chmbuilder.a.exe no specs constructor.win32.chmbuilder.a.exe hh.exe ieinstal.exe no specs notepad.exe no specs constructor.win32.chmbuilder.a.exe no specs constructor.win32.chmbuilder.a.exe hh.exe no specs hh.exe no specs ieinstal.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Desktop.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3044"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\radC8EB1.tmp.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1416"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\rad24126.tmpC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3736"C:\Users\admin\Desktop\rad24126.exe" C:\Users\admin\Desktop\rad24126.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
4044"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Constructor.Win32.ChmBuilder.a.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3300"C:\Users\admin\Desktop\New folder\Constructor.Win32.ChmBuilder.a.exe" C:\Users\admin\Desktop\New folder\Constructor.Win32.ChmBuilder.a.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
3660"C:\Windows\system32\wermgr.exe" "-outproc" "116" "3920" C:\Windows\system32\wermgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3008"C:\Users\admin\Desktop\New folder\rad24126.exe" C:\Users\admin\Desktop\New folder\rad24126.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
4028"C:\Users\admin\Desktop\New folder\rad24126.exe" C:\Users\admin\Desktop\New folder\rad24126.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3640"C:\Windows\system32\wermgr.exe" "-outproc" "116" "4048" C:\Windows\system32\wermgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 039
Read events
1 749
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
8
Text files
83
Unknown types
8

Dropped files

PID
Process
Filename
Type
3736rad24126.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
3736rad24126.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2832.911\Constructor.Win32.ChmBuilder.a.zipcompressed
MD5:B5D6FDE02E72DDDC285B87F30B8A6425
SHA256:C51EC3A59E130DBC5AB7DE92114DADA93FC0A94B291E67586E8ACD7224E39B90
3044WinRAR.exeC:\Users\admin\Desktop\rad24126.tmpexecutable
MD5:EEE6B8FFF025CAFAD98579657B7BCCD0
SHA256:14E44C02A55DE7BA6BCE25648AE343104F90213F2F2D2C382E9C738DE151CD50
2628Constructor.Win32.ChmBuilder.a.exeC:\Windows\hha.dllexecutable
MD5:83178B998B55F3B199D21158F307FA4C
SHA256:32003DF5ECD25FA39A0C410A487C8B8440758F199EB4032B4EC03CD8F1DA220C
3660wermgr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_rad24126.exe_eaec84b47f404a426e84a8d278dc3f9b417bde5d_cab_0e57bd22\Report.werbinary
MD5:86D84A1EDAD7DCC466D23A024BDF1949
SHA256:8C47BAAFADC53188E43BB244A94C372830F05A1AF9AD9C979DD5AF5800532FCA
3736rad24126.exeC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensustext
MD5:2A0AD870D9AA1BBA52B690E8769CC627
SHA256:A3DC233EF6A7A80429DDC755646971D5966210D34F31078B25DB9ECC257D04BC
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2832.911\radC8EB1.tmp.zipcompressed
MD5:295DDC18A6F7DD9AE9D61CDD0FC6C2A2
SHA256:F786B73784EFEC73B25FE52CAED6CEAA1C29F1700EA8D896983F0664AEB3C053
4028rad24126.exeC:\ProgramData\Windows\csrss.exeexecutable
MD5:EEE6B8FFF025CAFAD98579657B7BCCD0
SHA256:14E44C02A55DE7BA6BCE25648AE343104F90213F2F2D2C382E9C738DE151CD50
2628Constructor.Win32.ChmBuilder.a.exeC:\Users\admin\AppData\Local\Temp\IMT1811.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2992
hh.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3736
rad24126.exe
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
3736
rad24126.exe
194.109.206.212:443
Xs4all Internet BV
NL
malicious
3736
rad24126.exe
76.73.17.194:9090
Cogent Communications
US
malicious
3736
rad24126.exe
12.235.151.200:9029
AT&T Services, Inc.
US
suspicious
2992
hh.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3736
rad24126.exe
51.255.206.74:443
OVH SAS
FR
suspicious
3736
rad24126.exe
51.15.47.17:9001
Online S.a.s.
NL
suspicious

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3736
rad24126.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 173
3736
rad24126.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3736
rad24126.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 267
3736
rad24126.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 495
3736
rad24126.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 485
3736
rad24126.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3736
rad24126.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 105
3736
rad24126.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
No debug info