analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Подробности заказа 2019-06-17.docx.js

Full analysis: https://app.any.run/tasks/c8d449af-fe6f-45d5-b691-f1fefb7c6b53
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: June 19, 2019, 13:38:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
ransomware
troldesh
shade
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

E52EB0B7D0559EC90B04A22A9818AE11

SHA1:

BB1ED205725E68A1AF210F8EF2F1D64DB2CD8E45

SHA256:

43A93CC7AFCDD59C8579B547C8F345A0355C00ED9643B0E675136DFA7EC4850B

SSDEEP:

192:A2Q0hvwmY6Yrrr1CwkJ2VOtMpbxAq9eVBpM/z4bTvh58GnTmDdg1rP2ZfoNFYuc4:A2QMBYJC9tUiq9ezpu8Z58GT2iaZbs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad4B475.tmp (PID: 2276)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 2944)
    • Changes the autorun value in the registry

      • rad4B475.tmp (PID: 2276)
    • TROLDESH was detected

      • rad4B475.tmp (PID: 2276)
    • Actions looks like stealing of personal data

      • rad4B475.tmp (PID: 2276)
    • Modifies files in Chrome extension folder

      • rad4B475.tmp (PID: 2276)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2944)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2944)
      • rad4B475.tmp (PID: 2276)
    • Starts application with an unusual extension

      • cmd.exe (PID: 608)
    • Creates files in the user directory

      • WScript.exe (PID: 2944)
    • Creates files in the program directory

      • rad4B475.tmp (PID: 2276)
    • Checks for external IP

      • rad4B475.tmp (PID: 2276)
  • INFO

    • Dropped object may contain URL to Tor Browser

      • rad4B475.tmp (PID: 2276)
    • Dropped object may contain TOR URL's

      • rad4B475.tmp (PID: 2276)
    • Dropped object may contain Bitcoin addresses

      • rad4B475.tmp (PID: 2276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH rad4b475.tmp vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Подробности заказа 2019-06-17.docx.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
608"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad4B475.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2276C:\Users\admin\AppData\Local\Temp\rad4B475.tmpC:\Users\admin\AppData\Local\Temp\rad4B475.tmp
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Signup
Version:
6.00.2600.0000 (xpclient.010817-1148)
3676C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exerad4B475.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
198
Read events
169
Write events
29
Delete events
0

Modification events

(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2944) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
159
Text files
32
Unknown types
4

Dropped files

PID
Process
Filename
Type
2276rad4B475.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
2276rad4B475.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
2276rad4B475.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
2276rad4B475.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
2276rad4B475.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
2276rad4B475.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-certstext
MD5:C3BD238881EF1049C0F5BE137B1E65A3
SHA256:EDD746D1532B92111C5541CF4C8117703185BB0253E73E5BE11D57D5D63950C0
2944WScript.exeC:\Users\admin\AppData\Local\Temp\rad4B475.tmpexecutable
MD5:8B847E37FC8FEBC6751CBC03AC9F9C00
SHA256:7F5CAA4CEC6AE2F3FF1FD85536EE9A3E8403A70B5C03CCDB3EECC8886E34810C
2944WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1c[1].jpgexecutable
MD5:8B847E37FC8FEBC6751CBC03AC9F9C00
SHA256:7F5CAA4CEC6AE2F3FF1FD85536EE9A3E8403A70B5C03CCDB3EECC8886E34810C
2276rad4B475.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:9E0FDA18BF693D4368B89C1B030E919D
SHA256:1CE142DF4F5CED6CB28692F9C333F13D7D2A1063FF14FD0C92068D8A3A94A742
2276rad4B475.tmpC:\Users\Public\Videos\Sample Videos\N8FgX3GFVt78753mixUdbKPjmtfcxCnlQkxtbsdjVR0=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
WScript.exe
GET
200
90.156.201.59:80
http://design-constructor.ru/wp-admin/css/colors/blue/1c.jpg
RU
executable
1.08 Mb
malicious
2276
rad4B475.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2276
rad4B475.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2276
rad4B475.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2276
rad4B475.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2276
rad4B475.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2276
rad4B475.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2276
rad4B475.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2276
rad4B475.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2276
rad4B475.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2276
rad4B475.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
2944
WScript.exe
80.85.85.28:443
aspirationblinds.co.uk
Linode, LLC
GB
unknown
2276
rad4B475.tmp
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
2276
rad4B475.tmp
80.67.167.81:9001
Association Gitoyen
FR
malicious
2944
WScript.exe
90.156.201.59:80
design-constructor.ru
LLC masterhost
RU
malicious
2276
rad4B475.tmp
213.239.204.62:9001
Hetzner Online GmbH
DE
suspicious
2276
rad4B475.tmp
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2276
rad4B475.tmp
51.75.144.67:443
GB
suspicious
2276
rad4B475.tmp
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
aspirationblinds.co.uk
  • 80.85.85.28
unknown
design-constructor.ru
  • 90.156.201.59
  • 90.156.201.107
  • 90.156.201.56
  • 90.156.201.76
malicious
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
2944
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2944
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2944
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2276
rad4B475.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 184
2276
rad4B475.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
2276
rad4B475.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2276
rad4B475.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
2276
rad4B475.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2276
rad4B475.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 515
2276
rad4B475.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 352
25 ETPRO signatures available at the full report
No debug info