analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA

Full analysis: https://app.any.run/tasks/1bf06f9f-2a10-4a81-be1d-75ee9992a55e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 15:46:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
teslacrypt
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

119D7B22E66A2086080D5105BC881895

SHA1:

F9A6C9D6D9ADFD6E21CAD7F73A92FEC6C55B10DF

SHA256:

D0C5802C313484A79CDA178C08E7B54437695054DD3CFEBF7FA687E8DF32E172

SSDEEP:

6144:nmg1MPXeuInX2VHNySBneO+Z+R0BKpdW3OJSxw1CQKn7unJtt7Cz5fKeQ0dN4:mg1sgnXHSJeO+Z+R0gVmw87G3Gz5w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • xelsac.exe (PID: 2212)

    • TeslaCrypt was detected

      • xelsac.exe (PID: 2212)

    • Deletes shadow copies

      • xelsac.exe (PID: 2212)

    • Actions looks like stealing of personal data

      • xelsac.exe (PID: 2212)

    • Writes file to Word startup folder

      • xelsac.exe (PID: 2212)

    • Writes to a start menu file

      • xelsac.exe (PID: 2212)

    • Connects to CnC server

      • xelsac.exe (PID: 2212)

    • Modifies files in Chrome extension folder

      • xelsac.exe (PID: 2212)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exe (PID: 2160)

    • Executable content was dropped or overwritten

      • 7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exe (PID: 2160)

    • Starts itself from another location

      • 7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exe (PID: 2160)

    • Executed as Windows Service

      • vssvc.exe (PID: 2116)

    • Creates files in the program directory

      • xelsac.exe (PID: 2212)

    • Creates files in the user directory

      • xelsac.exe (PID: 2212)

  • INFO

    • Dropped object may contain TOR URL's

      • xelsac.exe (PID: 2212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 4
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x17e0
UninitializedDataSize: -
InitializedDataSize: 238080
CodeSize: 251904
LinkerVersion: 8
PEType: PE32
TimeStamp: 2016:03:16 11:55:07+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 16-Mar-2016 10:55:07
Detected languages:
  • English - United States
CompanyName: Microsoft Corporation
FileDescription: Microsoft ACM Audio Filter
FileVersion: 10.0.10240.16384 (th1.150709-1700)
InternalName: Microsoft ACM Audio Filter
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: msfltr32.acm
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.10240.16384

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x4550
Checksum: 0x0000
Initial IP value: 0x014C
Initial CS value: 0x0010
Overlay number: 0x56E9
OEM identifier: 0x00E0
OEM information: 0x012F
Address of NE header: 0x00000010

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 16
Time date stamp: 16-Mar-2016 10:55:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.dHGmL
0x00001000
0x0003D776
0x0003D800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.92195
.tc
0x0003F000
0x0003DBC4
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.03006
.ndata
0x0007D000
0x0000EA6A
0x0000EC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.8265
.data1
0x0008C000
0x000008E0
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
2.84909
.rsrc
0x0008D000
0x00001000
0x00000200
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.7611
Zdata
0x0008E000
0x00000400
0x00000400
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.45789
C+Mmal+
0x0008F000
0x00003600
0x00003600
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.16082
FE_TEXT
0x00093000
0x00000400
0x00000400
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.45789
M7/nWLy
0x00094000
0x00002E00
0x00002E00
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.21302
\\xffX?
0x00097000
0x00000400
0x00000400
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.45789

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.5012
960
UNKNOWN
English - United States
RT_VERSION
10
2.16096
20
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

KERNEL32.dll
msvcrt.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_rla.exe #TESLACRYPT xelsac.exe cmd.exe no specs vssadmin.exe vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2160"C:\Users\admin\AppData\Local\Temp\7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exe" C:\Users\admin\AppData\Local\Temp\7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ACM Audio Filter
Exit code:
1
Version:
10.0.10240.16384 (th1.150709-1700)
2212C:\Users\admin\Documents\xelsac.exeC:\Users\admin\Documents\xelsac.exe
7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ACM Audio Filter
Version:
10.0.10240.16384 (th1.150709-1700)
688"C:\Windows\system32\cmd.exe" /c DEL C:\Users\admin\AppData\Local\Temp\7D5B77~1.EXE >> NULC:\Windows\system32\cmd.exe7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
716"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet C:\Windows\System32\vssadmin.exe
xelsac.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2116C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
178
Read events
152
Write events
26
Delete events
0

Modification events

(PID) Process:(2160) 7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2160) 7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2212) xelsac.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2212) xelsac.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2212) xelsac.exeKey:HKEY_CURRENT_USER\Software\trueimg
Operation:writeName:ID
Value:
A4FA9C70A31DC69B
(PID) Process:(2212) xelsac.exeKey:HKEY_CURRENT_USER\Software\A4FA9C70A31DC69B
Operation:writeName:data
Value:
3146594277523548766B59323571677661596932776F5041643137564D78463872370000000000000000000000000000045E42848CA875048440A0AE81C477DB29C694C074F22F565C1787BAEBCB314D7B367C2816016FD4E1882CF497011557FECCA7B89FCA14C01AD469552899C91F85CC71AB7A4C5332F6B51201A28DE50F2BF558767C8BE4AAF59FF24E36D03AB9550000000000000000000000000000000000000000000000000000000000000004629FC7193B3398EB8BE672817698BDEB1001E586F3D52897D4F805F647B0C9EDF10B3CAF51A00B94A48698531EF9B5BBC5071FE619B818F6AED47B18A8931B0D000000000000005F98A45D00000000
(PID) Process:(2212) xelsac.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:_ixns
Value:
C:\Windows\SYSTEM32\CMD.EXE /C START C:\Users\admin\Documents\xelsac.exe
(PID) Process:(2212) xelsac.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(2212) xelsac.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xelsac_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2212) xelsac.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xelsac_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
428
Text files
3 352
Unknown types
0

Dropped files

PID
Process
Filename
Type
2212xelsac.exeC:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\RECOVERmecno.htmlhtml
MD5:2A4BBB72A034393C7956A3F4CC2CB7BB
SHA256:40A6A7C1A35F51D4A0DA7DDD4FD9F9B295B7904D8BE13295AF8E3D825B34E971
2212xelsac.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\RECOVERmecno.pngimage
MD5:F00B53B37A5BAEC3443F80B970EA4C70
SHA256:665F9B6447BCEC8E491CACD35F491E284783311B42ED956D341C5065F05DB5C1
2212xelsac.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RECOVERmecno.txttext
MD5:E6143705B91B72EE9CF204F492DBC5AF
SHA256:BEAC68322E2ADA114D5EDD3C3EB354153C018A7D513160A9AF6C950FDBEFF7AB
2212xelsac.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RECOVERmecno.pngimage
MD5:F00B53B37A5BAEC3443F80B970EA4C70
SHA256:665F9B6447BCEC8E491CACD35F491E284783311B42ED956D341C5065F05DB5C1
2212xelsac.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\RECOVERmecno.htmlhtml
MD5:2A4BBB72A034393C7956A3F4CC2CB7BB
SHA256:40A6A7C1A35F51D4A0DA7DDD4FD9F9B295B7904D8BE13295AF8E3D825B34E971
2212xelsac.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\RECOVERmecno.pngimage
MD5:F00B53B37A5BAEC3443F80B970EA4C70
SHA256:665F9B6447BCEC8E491CACD35F491E284783311B42ED956D341C5065F05DB5C1
2212xelsac.exeC:\Users\admin\.oracle_jre_usage\RECOVERmecno.txttext
MD5:E6143705B91B72EE9CF204F492DBC5AF
SHA256:BEAC68322E2ADA114D5EDD3C3EB354153C018A7D513160A9AF6C950FDBEFF7AB
2212xelsac.exeC:\Users\admin\.oracle_jre_usage\RECOVERmecno.htmlhtml
MD5:2A4BBB72A034393C7956A3F4CC2CB7BB
SHA256:40A6A7C1A35F51D4A0DA7DDD4FD9F9B295B7904D8BE13295AF8E3D825B34E971
2212xelsac.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\RECOVERmecno.txttext
MD5:E6143705B91B72EE9CF204F492DBC5AF
SHA256:BEAC68322E2ADA114D5EDD3C3EB354153C018A7D513160A9AF6C950FDBEFF7AB
21607d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA.exeC:\Users\admin\Documents\xelsac.exeexecutable
MD5:119D7B22E66A2086080D5105BC881895
SHA256:D0C5802C313484A79CDA178C08E7B54437695054DD3CFEBF7FA687E8DF32E172
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2212
xelsac.exe
POST
5.2.87.161:80
http://shampooherbal.com/phsys.php
TR
shared
2212
xelsac.exe
POST
204.11.56.48:80
http://commonsenseprotection.com/phsys.php
VG
malicious
2212
xelsac.exe
POST
400
104.28.11.229:80
http://hmgame.net/phsys.php
US
html
226 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
xelsac.exe
204.11.56.48:80
commonsenseprotection.com
Confluence Networks Inc
VG
malicious
2212
xelsac.exe
91.195.240.126:80
esbook.com
SEDO GmbH
DE
malicious
2212
xelsac.exe
104.28.11.229:80
hmgame.net
Cloudflare Inc
US
malicious
2212
xelsac.exe
5.2.87.161:80
shampooherbal.com
Alastyr Telekomunikasyon A.S.
TR
malicious

DNS requests

Domain
IP
Reputation
esbook.com
  • 91.195.240.126
malicious
hmgame.net
  • 104.28.11.229
  • 104.28.10.229
malicious
shampooherbal.com
  • 5.2.87.161
shared
exaltation.info
unknown
commonsenseprotection.com
  • 204.11.56.48
malicious
ebookstoreforyou.com
unknown

Threats

PID
Process
Class
Message
2212
xelsac.exe
A Network Trojan was detected
ET TROJAN Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt
2212
xelsac.exe
A Network Trojan was detected
ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon
2212
xelsac.exe
A Network Trojan was detected
ET TROJAN Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt
2212
xelsac.exe
A Network Trojan was detected
ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon
2212
xelsac.exe
A Network Trojan was detected
ET TROJAN Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt
2212
xelsac.exe
A Network Trojan was detected
ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
7d5b7701c15ca0485c58ef36e8647d263a17e2c962102b37b2994e63834af216_RLA