analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1c.exe

Full analysis: https://app.any.run/tasks/08161d8d-35c5-4031-a4fe-ac0d64e39822
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 18, 2019, 11:32:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
troldesh
shade
evasion
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4A4608A2C2707B4DD2BC4B733EF4EF96

SHA1:

65F4AFC13C28CAF3FCF4E0E0921E3E152E9B8422

SHA256:

EFC8A598D15F50646444551C6FF08CEA8C3A173F307ECC0B42AAA94D043FBA3A

SSDEEP:

24576:vlGY60lLlU+Y2swKceHqopucVwKE69eANMGaisJSOk5w:v/dAlcEpu3KrM3UC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 1c.exe (PID: 3004)

    • TROLDESH was detected

      • 1c.exe (PID: 3004)

    • Runs app for hidden code execution

      • 1c.exe (PID: 3004)

    • Deletes shadow copies

      • 1c.exe (PID: 3004)

    • Dropped file may contain instructions of ransomware

      • 1c.exe (PID: 3004)

    • Actions looks like stealing of personal data

      • 1c.exe (PID: 3004)

    • Modifies files in Chrome extension folder

      • 1c.exe (PID: 3004)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 1c.exe (PID: 3004)

    • Checks for external IP

      • 1c.exe (PID: 3004)

    • Creates files in the program directory

      • 1c.exe (PID: 3004)

    • Creates files like Ransomware instruction

      • 1c.exe (PID: 3004)

    • Creates files in the user directory

      • 1c.exe (PID: 3004)

    • Executed as Windows Service

      • vssvc.exe (PID: 4012)

    • Starts CMD.EXE for commands execution

      • 1c.exe (PID: 3004)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3776)

  • INFO

    • Dropped object may contain URL to Tor Browser

      • 1c.exe (PID: 3004)

    • Manual execution by user

      • NOTEPAD.EXE (PID: 2956)

    • Dropped object may contain TOR URL's

      • 1c.exe (PID: 3004)

    • Dropped object may contain Bitcoin addresses

      • 1c.exe (PID: 3004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Tag50813074416: D
nderbird: 6BuildID
shreporterexe: 8 ProductName
illa: LOriginalFilename
ternalName: 8LegalTrademarks
Tag20esrpre:
leDescription: :FileVersion
illaFoundation: (
enseMPL2: FCompanyName
Comments: BLegalCopyright
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: Pre-release
FileFlagsMask: 0x003f
ProductVersionNumber: 38.2.0.5703
FileVersionNumber: 38.2.0.5703
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x710f
UninitializedDataSize: -
InitializedDataSize: 1064960
CodeSize: 49664
LinkerVersion: 9
PEType: PE32
TimeStamp: 2019:07:18 05:07:32+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROLDESH 1c.exe vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3004"C:\Users\admin\AppData\Local\Temp\1c.exe" C:\Users\admin\AppData\Local\Temp\1c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
3184C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exe1c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3040"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
1c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4012C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3776C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe1c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4048chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2956"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\README5.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
121
Read events
99
Write events
22
Delete events
0

Modification events

(PID) Process:(3004) 1c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xi
Value:
906D0F2E2F604F839E04
(PID) Process:(3004) 1c.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Client Server Runtime Subsystem
Value:
"C:\ProgramData\Windows\csrss.exe"
(PID) Process:(3004) 1c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xVersion
Value:
4.0.0.1
(PID) Process:(3004) 1c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xmail
Value:
1
(PID) Process:(3004) 1c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xmode
Value:
0
(PID) Process:(3004) 1c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xpk
Value:
-----BEGIN PUBLIC KEY----- MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA8mn4F2LJ2xbiQ2U0nRya c1tR+wN6CcLUa3lCLO+4Hj4gGGvPGugPV/9l2cAkeQZahnqlgKG51eaFO1UYdmPs zyNfi9qlgFndoFL8XsxFHJ4C9BqqlIpD15pglgrubqX0lZGlI27dXh4bu3fA9zrI ULugLryqMmIId6MDIY2WalR+7Vpq8ATM6VN1/+CKBDEcdHeWsNScgxtKOVa20E60 qOWxzdUoCeMHgMr+Q8kzPQzreyejLbBZL9cXTxstXJVsA64ge/G71oZlLU7j2Ujp EHkXR4G0I5QBEQu62K0R+cz3FqxP6CN6Pm1MJb8XHkU54FYsVsLsk5nasUMUZ9Uq 5ikgVEO65k7bgwi9nGZsyDlWDOwbGuSRreLAVKeCDiO2jfSBOTH16gIyT9rE7UDj 6SRe2guJhe2sqwXpwgmTJsWffQmzg5vQwWrL4UXUASCWvtODBBTq8jGom9T5Aet/ gsLcsM1ozqI961wp6RZPO1WluzsxvpDT4bCJmc5D6dp/AgMBAAE= -----END PUBLIC KEY-----
(PID) Process:(3004) 1c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xstate
Value:
3
(PID) Process:(3004) 1c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xcnt
Value:
0
(PID) Process:(3004) 1c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:xstate
Value:
4
(PID) Process:(3004) 1c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
Operation:writeName:shst
Value:
4
Executable files
1
Suspicious files
1 070
Text files
46
Unknown types
22

Dropped files

PID
Process
Filename
Type
30041c.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
30041c.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
30041c.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
30041c.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
30041c.exeC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
30041c.exeC:\Users\Public\Videos\Sample Videos\NnftgW-1ZMTixmvqyA6pbkAOos3W0VbHXB3l6u+U1zo=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
30041c.exeC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
30041c.exeC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdesc-consensustext
MD5:EA47C2D37445EE8528475D0A03451D0D
SHA256:19C54873EBA74A6E2F337029A81BE18F2FF939F2309B3D8BA9E3E58E0DAE4E5E
30041c.exeC:\ProgramData\Windows\csrss.exeexecutable
MD5:4A4608A2C2707B4DD2BC4B733EF4EF96
SHA256:EFC8A598D15F50646444551C6FF08CEA8C3A173F307ECC0B42AAA94D043FBA3A
30041c.exeC:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
16
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3004
1c.exe
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3004
1c.exe
212.51.134.123:9001
Init7 (Switzerland) Ltd.
CH
suspicious
3004
1c.exe
193.23.244.244:443
Chaos Computer Club e.V.
DE
malicious
3004
1c.exe
5.79.85.81:1856
LeaseWeb Netherlands B.V.
NL
suspicious
3004
1c.exe
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
3004
1c.exe
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared
3004
1c.exe
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
3004
1c.exe
195.189.96.148:443
Collective Production Enterprise Yapic.Net
RU
suspicious

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
3004
1c.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 272
3004
1c.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3004
1c.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 182
3004
1c.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3004
1c.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3004
1c.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 282
3004
1c.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 527
3004
1c.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 340
3004
1c.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3004
1c.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
23 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1c.exe