File name:

Информация о заказе.2019-09.10.docx.js

Full analysis: https://app.any.run/tasks/c03838bb-6e6d-46c7-9a39-40bf50741c82
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: September 11, 2019, 08:58:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
troldesh
shade
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

5CCD8457DE21E9D75F54B8EFFB833EF1

SHA1:

66C5CDDFB1A95D109ED0FBFBC5F976D95C1049E1

SHA256:

8A1DEC1BD97C51899BC67EF80676D3884828BAC030EA65A0830A227823EF91C9

SSDEEP:

384:sPa2EwISLSsvrGDfXWXrKLfoawUQnrD5js29:ssIvvrGbWXrYQRjN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad58900.tmp (PID: 2396)
      • rad58900.tmp (PID: 2528)

    • Changes the autorun value in the registry

      • rad58900.tmp (PID: 2528)

    • TROLDESH was detected

      • rad58900.tmp (PID: 2528)

    • Deletes shadow copies

      • rad58900.tmp (PID: 2528)

    • Dropped file may contain instructions of ransomware

      • rad58900.tmp (PID: 2528)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3428)

    • Runs app for hidden code execution

      • rad58900.tmp (PID: 2528)

    • Actions looks like stealing of personal data

      • rad58900.tmp (PID: 2528)

    • Modifies files in Chrome extension folder

      • rad58900.tmp (PID: 2528)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 3664)
      • rad58900.tmp (PID: 2396)
      • cmd.exe (PID: 2492)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3428)
      • rad58900.tmp (PID: 2528)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3428)
      • rad58900.tmp (PID: 2528)

    • Application launched itself

      • rad58900.tmp (PID: 2396)

    • Creates files in the program directory

      • rad58900.tmp (PID: 2528)

    • Creates files like Ransomware instruction

      • rad58900.tmp (PID: 2528)

    • Creates files in the user directory

      • rad58900.tmp (PID: 2528)

    • Executed as Windows Service

      • vssvc.exe (PID: 3392)

    • Searches for installed software

      • rad58900.tmp (PID: 2528)

  • INFO

    • Dropped object may contain TOR URL's

      • rad58900.tmp (PID: 2528)

    • Dropped object may contain URL to Tor Browser

      • rad58900.tmp (PID: 2528)

    • Dropped object may contain Bitcoin addresses

      • rad58900.tmp (PID: 2528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs rad58900.tmp no specs #TROLDESH rad58900.tmp vssadmin.exe no specs vssadmin.exe cmd.exe no specs vssvc.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
564"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
rad58900.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2396C:\Users\admin\AppData\Local\Temp\rad58900.tmpC:\Users\admin\AppData\Local\Temp\rad58900.tmpcmd.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
MEDIUM
Description:
Mystifying Letterhead Went
Exit code:
0
Version:
5.3.4.6
Modules
Images
c:\users\admin\appdata\local\temp\rad58900.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2492C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exerad58900.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2528C:\Users\admin\AppData\Local\Temp\rad58900.tmpC:\Users\admin\AppData\Local\Temp\rad58900.tmp
rad58900.tmp
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
MEDIUM
Description:
Mystifying Letterhead Went
Exit code:
0
Version:
5.3.4.6
Modules
Images
c:\users\admin\appdata\local\temp\rad58900.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
2756C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exerad58900.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3392C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3428"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Информация о заказе.2019-09.10.docx.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3580chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3664"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad58900.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
567
Read events
530
Write events
37
Delete events
0

Modification events

(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3428) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
1 048
Text files
33
Unknown types
37

Dropped files

PID
Process
Filename
Type
2528rad58900.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
2528rad58900.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
2528rad58900.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
2528rad58900.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
2528rad58900.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
2528rad58900.tmpC:\Users\Public\Videos\Sample Videos\jOR55YGF-E7HaeoifIY9Hws1NBiy3z-FIkuidtnc6Lc=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
2528rad58900.tmpC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
2528rad58900.tmpC:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
MD5:
SHA256:
2528rad58900.tmpC:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
MD5:
SHA256:
2528rad58900.tmpC:\Users\Public\Pictures\Sample Pictures\Koala.jpg
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
9
DNS requests
2
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2528
rad58900.tmp
GET
200
66.171.248.178:80
http://ipv4bot.whatismyipaddress.com/
US
text
14 b
shared
3428
WScript.exe
GET
200
162.216.45.5:80
http://moonlight-theater.com/Scripts/2c.jpg
US
executable
1.85 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3428
WScript.exe
162.216.45.5:80
moonlight-theater.com
Total Server Solutions L.L.C.
US
malicious
2528
rad58900.tmp
154.35.32.5:443
Rethem Hosting LLC
US
suspicious
2528
rad58900.tmp
194.109.206.212:443
Xs4all Internet BV
NL
malicious
2528
rad58900.tmp
193.23.244.244:443
Chaos Computer Club e.V.
DE
malicious
2528
rad58900.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
2528
rad58900.tmp
85.159.237.210:443
NForce Entertainment B.V.
NL
suspicious
2528
rad58900.tmp
46.232.248.100:9001
suspicious
2528
rad58900.tmp
66.171.248.178:80
ipv4bot.whatismyipaddress.com
Alchemy Communications, Inc.
US
malicious
2528
rad58900.tmp
136.243.82.132:9001
Hetzner Online GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
moonlight-theater.com
  • 162.216.45.5
malicious
ipv4bot.whatismyipaddress.com
  • 66.171.248.178
shared

Threats

PID
Process
Class
Message
3428
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3428
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3428
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2528
rad58900.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 270
2528
rad58900.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2528
rad58900.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 183
2528
rad58900.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
2528
rad58900.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2528
rad58900.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 626
2528
rad58900.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 130
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Информация о заказе.2019-09.10.docx.js