analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

xls

Full analysis: https://app.any.run/tasks/39682fb0-d689-4b1a-8a66-f9842b8f448e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 19, 2019, 08:50:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
ransomware
troldesh
shade
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

968E5A24401EC3F72FF2917D1D9811B2

SHA1:

28CF45D3EB0F53C5B5CBA742C5745AB03F385ADF

SHA256:

E07AAE3A771BB1C3162016B2D7BF66A76878BC3FAEAF9E329A39DAF152EFECAD

SSDEEP:

192:Aib4iL5hy7fpo+1cAB4AS/QhWqsI+VoZ9w3zXj9chhNXKT4osvbg271T3ks4YN:ZD5hy7fe+1n6AEdIlwShLXKT4o+kxq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radB9DC1.tmp (PID: 2808)
      • radB9DC1.tmp (PID: 2824)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 3460)
    • Changes the autorun value in the registry

      • radB9DC1.tmp (PID: 2824)
    • TROLDESH was detected

      • radB9DC1.tmp (PID: 2824)
    • Deletes shadow copies

      • radB9DC1.tmp (PID: 2824)
    • Dropped file may contain instructions of ransomware

      • radB9DC1.tmp (PID: 2824)
    • Runs app for hidden code execution

      • radB9DC1.tmp (PID: 2824)
    • Actions looks like stealing of personal data

      • radB9DC1.tmp (PID: 2824)
    • Modifies files in Chrome extension folder

      • radB9DC1.tmp (PID: 2824)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3460)
      • radB9DC1.tmp (PID: 2824)
    • Starts application with an unusual extension

      • cmd.exe (PID: 4040)
      • radB9DC1.tmp (PID: 2808)
      • cmd.exe (PID: 2244)
    • Application launched itself

      • radB9DC1.tmp (PID: 2808)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3460)
      • radB9DC1.tmp (PID: 2824)
    • Creates files in the program directory

      • radB9DC1.tmp (PID: 2824)
    • Creates files like Ransomware instruction

      • radB9DC1.tmp (PID: 2824)
    • Executed as Windows Service

      • vssvc.exe (PID: 3808)
    • Creates files in the user directory

      • radB9DC1.tmp (PID: 2824)
  • INFO

    • Manual execution by user

      • WScript.exe (PID: 3460)
      • NOTEPAD.EXE (PID: 1736)
    • Dropped object may contain URL to Tor Browser

      • radB9DC1.tmp (PID: 2824)
    • Dropped object may contain TOR URL's

      • radB9DC1.tmp (PID: 2824)
    • Dropped object may contain Bitcoin addresses

      • radB9DC1.tmp (PID: 2824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
11
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe cmd.exe no specs radb9dc1.tmp no specs #TROLDESH radb9dc1.tmp vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3380"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\xls.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3460"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Информация о заказе.xls.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4040"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radB9DC1.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2808C:\Users\admin\AppData\Local\Temp\radB9DC1.tmpC:\Users\admin\AppData\Local\Temp\radB9DC1.tmpcmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
I7 Set Macro Deserialize Cbts
Exit code:
0
Version:
2.6.9.695
2824C:\Users\admin\AppData\Local\Temp\radB9DC1.tmpC:\Users\admin\AppData\Local\Temp\radB9DC1.tmp
radB9DC1.tmp
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
I7 Set Macro Deserialize Cbts
Version:
2.6.9.695
3528C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exeradB9DC1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2680"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
radB9DC1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3808C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2244C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exeradB9DC1.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2516chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
689
Read events
640
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1 056
Text files
33
Unknown types
31

Dropped files

PID
Process
Filename
Type
3380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3380.5611\Информация о заказе.xls.js
MD5:
SHA256:
2824radB9DC1.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
2824radB9DC1.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
2824radB9DC1.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
2824radB9DC1.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
2824radB9DC1.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
2824radB9DC1.tmpC:\Users\Public\Videos\Sample Videos\e4unCGXi4kM+z8vgdQ2e76LlXMaJrNRvjmfyekYHw+w=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
2824radB9DC1.tmpC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
2824radB9DC1.tmpC:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
MD5:
SHA256:
2824radB9DC1.tmpC:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3460
WScript.exe
GET
200
79.98.28.28:80
http://telsiai.info/2013/wp-admin/css/colors/blue/2c.jpg
LT
executable
2.10 Mb
malicious
2824
radB9DC1.tmp
GET
200
66.171.248.178:80
http://ipv4bot.whatismyipaddress.com/
US
text
12 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2824
radB9DC1.tmp
193.23.244.244:443
Chaos Computer Club e.V.
DE
malicious
2824
radB9DC1.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
2824
radB9DC1.tmp
66.171.248.178:80
ipv4bot.whatismyipaddress.com
Alchemy Communications, Inc.
US
malicious
2824
radB9DC1.tmp
77.68.11.42:443
1&1 Internet SE
GB
suspicious
2824
radB9DC1.tmp
145.239.255.86:9001
OVH SAS
GB
suspicious
2824
radB9DC1.tmp
185.225.208.117:443
suspicious
3460
WScript.exe
79.98.28.28:80
telsiai.info
UAB Rakrejus
LT
malicious

DNS requests

Domain
IP
Reputation
telsiai.info
  • 79.98.28.28
unknown
ipv4bot.whatismyipaddress.com
  • 66.171.248.178
shared

Threats

PID
Process
Class
Message
3460
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3460
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3460
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2824
radB9DC1.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 180
2824
radB9DC1.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
2824
radB9DC1.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2824
radB9DC1.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 272
2824
radB9DC1.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2824
radB9DC1.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 573
2824
radB9DC1.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 231
3 ETPRO signatures available at the full report
No debug info