analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Подробности заказа ОАО АК _УРАЛЬСКИЕ АВИАЛИНИИ_.js

Full analysis: https://app.any.run/tasks/48e8ceb1-518d-4428-a939-1cf7e474112e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 11:54:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
troldesh
shade
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

BB278CE3425232C81F4EE4794876B7B0

SHA1:

E87414074FE77DC804AC1AE23E9A03ACA9F3046A

SHA256:

C3269ED2F47D94F96417A0EA4B3E2AF28892FD6C74E5E104226CCA0317BF3926

SSDEEP:

96:jG+dK4fnWkk3b/zDwh62f2SyJZQtG74WjysEJNlNysfI6jGoxcKHeaYAUmFDjsAB:jJZnWkYbfwh6kZyJZQtfwEJNlFw7s17L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad3DDFB.tmp (PID: 2440)

    • Changes the autorun value in the registry

      • rad3DDFB.tmp (PID: 2440)

    • TROLDESH was detected

      • rad3DDFB.tmp (PID: 2440)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3492)

    • Creates files in the program directory

      • rad3DDFB.tmp (PID: 2440)

    • Connects to unusual port

      • rad3DDFB.tmp (PID: 2440)

    • Executable content was dropped or overwritten

      • rad3DDFB.tmp (PID: 2440)
      • WScript.exe (PID: 3492)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3708)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH rad3ddfb.tmp

Process information

PID
CMD
Path
Indicators
Parent process
3492"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Подробности заказа ОАО АК _УРАЛЬСКИЕ АВИАЛИНИИ_.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3708"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad3DDFB.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2440C:\Users\admin\AppData\Local\Temp\rad3DDFB.tmpC:\Users\admin\AppData\Local\Temp\rad3DDFB.tmp
cmd.exe
User:
admin
Company:
Burnaware
Integrity Level:
MEDIUM
Description:
Verify Disc
Version:
8.3.0.0
Total events
183
Read events
152
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2440rad3DDFB.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
3492WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\gr[1].mpwqexecutable
MD5:69F8D94CCC76F51FE22036F9E9F58A5B
SHA256:2AB3746B1F474FE4498EB33BAE6B8A3ACD82110A34C4FD04DB5AB755130E5083
3492WScript.exeC:\Users\admin\AppData\Local\Temp\rad3DDFB.tmpexecutable
MD5:69F8D94CCC76F51FE22036F9E9F58A5B
SHA256:2AB3746B1F474FE4498EB33BAE6B8A3ACD82110A34C4FD04DB5AB755130E5083
2440rad3DDFB.tmpC:\ProgramData\Windows\csrss.exeexecutable
MD5:69F8D94CCC76F51FE22036F9E9F58A5B
SHA256:2AB3746B1F474FE4498EB33BAE6B8A3ACD82110A34C4FD04DB5AB755130E5083
2440rad3DDFB.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:21BBD43351F9B3B69D0D8FE821E98A2C
SHA256:C4252B559FEE9CD83C02493D73004035B32D81651A095E8031DDD931600BB345
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2440
rad3DDFB.tmp
154.35.32.5:443
Rethem Hosting LLC
US
suspicious
3492
WScript.exe
23.111.184.235:443
3castillos.com
HIVELOCITY VENTURES CORP
US
unknown
3492
WScript.exe
103.196.240.191:443
canadianpricespharmacy.xyz
Serverius Holding B.V.
NL
unknown
2440
rad3DDFB.tmp
76.73.17.194:9090
Cogent Communications
US
malicious

DNS requests

Domain
IP
Reputation
canadianpricespharmacy.xyz
  • 103.196.240.191
unknown
3castillos.com
  • 23.111.184.235
unknown

Threats

PID
Process
Class
Message
3492
WScript.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Подробности заказа ОАО АК _УРАЛЬСКИЕ АВИАЛИНИИ_.js