analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://lazovskiphoto.com/ural_zakaz.zip

Full analysis: https://app.any.run/tasks/8b770cee-86f2-464d-8ae3-d7dc97791df0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 24, 2019, 05:31:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
ransomware
troldesh
shade
evasion
Indicators:
MD5:

24F6F5A73B5D3B1189A8ABB17DEA380F

SHA1:

5445B8E426C15BE99E65E7847DCF530B64C479CB

SHA256:

E5CC500632B2BCFCB874D32E05F782EF353402E97E2CD074D033C6B890C4F682

SSDEEP:

3:N8EfKapNV02YVn:2EjpNV024

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad5C1B8.tmp (PID: 2832)
      • rad125B6.tmp (PID: 2960)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 2528)
    • Changes the autorun value in the registry

      • rad5C1B8.tmp (PID: 2832)
    • TROLDESH was detected

      • rad5C1B8.tmp (PID: 2832)
    • Deletes shadow copies

      • rad5C1B8.tmp (PID: 2832)
    • Runs app for hidden code execution

      • rad5C1B8.tmp (PID: 2832)
    • Dropped file may contain instructions of ransomware

      • rad5C1B8.tmp (PID: 2832)
    • Actions looks like stealing of personal data

      • rad5C1B8.tmp (PID: 2832)
    • Modifies files in Chrome extension folder

      • rad5C1B8.tmp (PID: 2832)
  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 2864)
      • rad5C1B8.tmp (PID: 2832)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3480)
      • cmd.exe (PID: 3788)
      • cmd.exe (PID: 2664)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2528)
      • firefox.exe (PID: 2864)
      • rad5C1B8.tmp (PID: 2832)
      • WScript.exe (PID: 756)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2528)
      • WScript.exe (PID: 756)
      • rad5C1B8.tmp (PID: 2832)
    • Executes scripts

      • WinRAR.exe (PID: 2760)
    • Checks for external IP

      • rad5C1B8.tmp (PID: 2832)
    • Executed as Windows Service

      • vssvc.exe (PID: 2480)
    • Creates files in the user directory

      • rad5C1B8.tmp (PID: 2832)
    • Creates files like Ransomware instruction

      • rad5C1B8.tmp (PID: 2832)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2864)
    • Application launched itself

      • firefox.exe (PID: 2864)
    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 2864)
      • rad5C1B8.tmp (PID: 2832)
    • Creates files in the user directory

      • firefox.exe (PID: 2864)
    • Dropped object may contain URL to Tor Browser

      • rad5C1B8.tmp (PID: 2832)
    • Reads settings of System Certificates

      • firefox.exe (PID: 2864)
    • Dropped object may contain TOR URL's

      • rad5C1B8.tmp (PID: 2832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
17
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH rad5c1b8.tmp wscript.exe cmd.exe no specs rad125b6.tmp vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
2864"C:\Program Files\Mozilla Firefox\firefox.exe" https://lazovskiphoto.com/ural_zakaz.zipC:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
4088"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.0.232410091\1637758825" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1160 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
2856"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.6.1110181118\100154082" -childID 1 -isForBrowser -prefsHandle 1700 -prefMapHandle 1656 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 764 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
3592"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.13.1870370291\892492357" -childID 2 -isForBrowser -prefsHandle 2680 -prefMapHandle 2684 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2696 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
2620"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.20.2065024668\869668342" -childID 3 -isForBrowser -prefsHandle 3372 -prefMapHandle 3584 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3572 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
2760"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ural_zakaz.zip"C:\Program Files\WinRAR\WinRAR.exefirefox.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2528"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2760.44107\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3480"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad5C1B8.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2832C:\Users\admin\AppData\Local\Temp\rad5C1B8.tmpC:\Users\admin\AppData\Local\Temp\rad5C1B8.tmp
cmd.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
MEDIUM
Description:
Registry Defrag
Version:
5.0.0.14
756"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2760.1291\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
2 032
Read events
1 954
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
1 096
Text files
67
Unknown types
67

Dropped files

PID
Process
Filename
Type
2864firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
2864firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2864firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash3513
MD5:
SHA256:
2864firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2864firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2864firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-malware-simple.sbstore
MD5:
SHA256:
2864firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-malware-simple.pset
MD5:
SHA256:
2864firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-phish-simple.sbstore
MD5:
SHA256:
2864firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-phish-simple.pset
MD5:
SHA256:
2864firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-unwanted-simple.sbstore
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
50
DNS requests
71
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2528
WScript.exe
GET
200
62.173.145.104:80
http://www.zagogulina.com/1c.jpg
RU
executable
1.19 Mb
malicious
2864
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2864
firefox.exe
POST
200
2.16.186.11:80
http://ocsp.int-x3.letsencrypt.org/
unknown
der
527 b
whitelisted
2864
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2864
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2864
firefox.exe
POST
200
216.58.205.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2864
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2864
firefox.exe
POST
200
2.16.186.11:80
http://ocsp.int-x3.letsencrypt.org/
unknown
der
527 b
whitelisted
2864
firefox.exe
POST
200
216.58.205.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2864
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2864
firefox.exe
2.16.186.112:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2864
firefox.exe
216.58.206.14:443
sb-ssl.google.com
Google Inc.
US
whitelisted
2864
firefox.exe
85.93.145.251:443
lazovskiphoto.com
JSC Internet-Cosmos
RU
unknown
2864
firefox.exe
216.58.205.234:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2864
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2864
firefox.exe
2.16.186.11:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
whitelisted
2832
rad5C1B8.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
2864
firefox.exe
52.24.56.107:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown
2864
firefox.exe
34.218.159.169:443
aus5.mozilla.org
Amazon.com, Inc.
US
unknown
2864
firefox.exe
216.58.205.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
lazovskiphoto.com
  • 85.93.145.251
unknown
detectportal.firefox.com
  • 2.16.186.112
  • 2.16.186.50
whitelisted
aus5.mozilla.org
  • 34.218.159.169
  • 54.244.6.221
  • 52.32.77.100
  • 52.40.226.98
  • 34.214.241.105
  • 54.148.105.101
  • 54.148.138.18
  • 52.43.79.30
  • 34.216.134.104
whitelisted
balrog-aus5.r53-2.services.mozilla.com
  • 52.43.79.30
  • 54.148.138.18
  • 54.148.105.101
  • 34.214.241.105
  • 52.40.226.98
  • 52.32.77.100
  • 54.244.6.221
  • 34.218.159.169
  • 34.216.134.104
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.50
  • 2.16.186.112
whitelisted
search.services.mozilla.com
  • 52.27.173.161
  • 52.88.179.171
  • 52.10.97.252
whitelisted
search.r53-2.services.mozilla.com
  • 52.10.97.252
  • 52.88.179.171
  • 52.27.173.161
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.11
  • 2.16.186.27
whitelisted
a771.dscq.akamai.net
  • 2.16.186.27
  • 2.16.186.11
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
2528
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2528
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2528
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2832
rad5C1B8.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 120
2832
rad5C1B8.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2832
rad5C1B8.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 644
2832
rad5C1B8.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2832
rad5C1B8.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 525
2832
rad5C1B8.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 638
2832
rad5C1B8.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
25 ETPRO signatures available at the full report
No debug info