analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Информация о заказе.2019-07-16.docx.js

Full analysis: https://app.any.run/tasks/8c144e81-de7c-4669-b3b6-5af0b4268e07
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: July 17, 2019, 12:51:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
ransomware
troldesh
shade
loader
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

60DEAC7B66DA0DEF66DEAF760529C22E

SHA1:

6A591191A5BFEA37F4552F60FB2E7C967D279991

SHA256:

8146996C7700DC2B187D980E54C6EE5383EE42505BD5F8080C5E0388898EB808

SSDEEP:

192:Ym+DXaGcyKU5KKCX3nXl3+W8KHWvT8bC47vW4SJs5:GDXjf5KKm3nXd+TDT3yvwq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radE71CE.tmp (PID: 356)
    • Changes the autorun value in the registry

      • radE71CE.tmp (PID: 356)
    • TROLDESH was detected

      • radE71CE.tmp (PID: 356)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 3464)
    • Actions looks like stealing of personal data

      • radE71CE.tmp (PID: 356)
    • Modifies files in Chrome extension folder

      • radE71CE.tmp (PID: 356)
  • SUSPICIOUS

    • Creates files in the program directory

      • radE71CE.tmp (PID: 356)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3464)
      • radE71CE.tmp (PID: 356)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3460)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3464)
    • Checks for external IP

      • radE71CE.tmp (PID: 356)
  • INFO

    • Dropped object may contain URL to Tor Browser

      • radE71CE.tmp (PID: 356)
    • Dropped object may contain TOR URL's

      • radE71CE.tmp (PID: 356)
    • Dropped object may contain Bitcoin addresses

      • radE71CE.tmp (PID: 356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH rade71ce.tmp vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3464"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Информация о заказе.2019-07-16.docx.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3460"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radE71CE.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
356C:\Users\admin\AppData\Local\Temp\radE71CE.tmpC:\Users\admin\AppData\Local\Temp\radE71CE.tmp
cmd.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 Patch Up
Version:
8, 6, 0, 1003
2736C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exeradE71CE.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
189
Read events
161
Write events
28
Delete events
0

Modification events

(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3464) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
26
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
356radE71CE.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
356radE71CE.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
356radE71CE.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
356radE71CE.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
356radE71CE.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
356radE71CE.tmpC:\Users\Public\Videos\Sample Videos\Y1lNx+BMNsGrsZFPfM776YlAq2jgDQDmm99zWMkjKZE=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
356radE71CE.tmpC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
356radE71CE.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensustext
MD5:783068C0E03341DFABCC384FF2FDB720
SHA256:AD46B5D300791347B72FC8A50ED9677CC3EACB45BD8D03FBBA8AD8717BAEA0CD
356radE71CE.tmpC:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
MD5:
SHA256:
3464WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\1c[1].jpgexecutable
MD5:22279FE757AD953E3EB1C22291AD2E18
SHA256:DD1690BBC16C2B44DA6F2291E14AB3635F90291A34109744A05E2C82489B3555
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
18
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
356
radE71CE.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
356
radE71CE.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
356
radE71CE.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
356
radE71CE.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
356
radE71CE.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
356
radE71CE.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
356
radE71CE.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
356
radE71CE.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3464
WScript.exe
GET
200
138.68.93.57:80
http://edu.interyouth.net/wp-admin/css/colors/blue/1c.jpg
DE
executable
1.49 Mb
malicious
356
radE71CE.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3464
WScript.exe
138.68.93.57:80
edu.interyouth.net
Digital Ocean, Inc.
DE
suspicious
356
radE71CE.tmp
212.83.61.218:443
23media GmbH
DE
suspicious
356
radE71CE.tmp
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
3464
WScript.exe
5.189.143.169:443
de.portret.expert
Contabo GmbH
DE
suspicious
356
radE71CE.tmp
193.23.244.244:443
Chaos Computer Club e.V.
DE
malicious
356
radE71CE.tmp
51.15.64.194:443
Online S.a.s.
FR
suspicious
356
radE71CE.tmp
104.18.34.131:80
whatsmyip.net
Cloudflare Inc
US
shared
356
radE71CE.tmp
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
356
radE71CE.tmp
93.186.200.213:9001
myLoc managed IT AG
DE
suspicious

DNS requests

Domain
IP
Reputation
de.portret.expert
  • 5.189.143.169
unknown
edu.interyouth.net
  • 138.68.93.57
malicious
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
whatsmyip.net
  • 104.18.34.131
  • 104.18.35.131
shared

Threats

PID
Process
Class
Message
3464
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3464
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3464
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
356
radE71CE.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 281
356
radE71CE.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
356
radE71CE.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
356
radE71CE.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
356
radE71CE.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 353
356
radE71CE.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 507
356
radE71CE.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 704
25 ETPRO signatures available at the full report
No debug info