analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | OhGodAnETHlargementPill2.zip |
| Full analysis: | https://app.any.run/tasks/d2198f17-cbe8-4de4-9ea6-15530d934597 |
| Verdict: | Malicious activity |
| Analysis date: | November 29, 2020, 15:43:21 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | BDA94860F1E32106830524A890E0C29B |
| SHA1: | 9A7C14BC49F95AD1CFE477D54560D888858D8E7F |
| SHA256: | 7688D311B615F063DC5BF828D6C5552CC19F55275CE01637D741BAEE4F8F987C |
| SSDEEP: | 49152:mhhEIT7yiz10dPkP0hvQqxz4OJfby7uj6wLMicr:mhKIT7yiJykMZL1by76YL |
MALICIOUS
Application was dropped or rewritten from another process
- ETHlargementPill-r2.exe (PID: 2216)
- ETHlargementPill-r2.exe (PID: 2116)
- ETHlargementPill-r2.exe (PID: 3184)
- TaskAudio Driver.exe (PID: 2928)
Drops executable file immediately after starts
- ETHlargementPill-r2.exe (PID: 3184)
Runs app for hidden code execution
- notepad.exe (PID: 2572)
SUSPICIOUS
Reads the Windows organization settings
- ETHlargementPill-r2.exe (PID: 2216)
- ETHlargementPill-r2.exe (PID: 3184)
Application launched itself
- ETHlargementPill-r2.exe (PID: 2116)
- ETHlargementPill-r2.exe (PID: 2216)
- notepad.exe (PID: 2572)
Reads Windows owner or organization settings
- ETHlargementPill-r2.exe (PID: 2216)
- ETHlargementPill-r2.exe (PID: 3184)
Executable content was dropped or overwritten
- ETHlargementPill-r2.exe (PID: 3184)
Drops a file with a compile date too recent
- ETHlargementPill-r2.exe (PID: 3184)
Creates files in the program directory
- ETHlargementPill-r2.exe (PID: 3184)
Starts CMD.EXE for commands execution
- notepad.exe (PID: 2572)
INFO
Manual execution by user
- ETHlargementPill-r2.exe (PID: 2116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipFileName: | README.md |
|---|---|
| ZipUncompressedSize: | 91 |
| ZipCompressedSize: | 84 |
| ZipCRC: | 0x0fd0df0b |
| ZipModifyDate: | 2020:01:17 17:20:25 |
| ZipCompression: | Deflated |
| ZipBitFlag: | - |
| ZipRequiredVersion: | 20 |
Total processes
627
Monitored processes
590
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 1120 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OhGodAnETHlargementPill2.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
| 2116 | "C:\Users\admin\Desktop\ETHlargementPill-r2.exe" | C:\Users\admin\Desktop\ETHlargementPill-r2.exe | — | explorer.exe |
User: admin Company: Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 1 Version: 51.1052.0.0 | ||||
| 2216 | "C:\Users\admin\Desktop\ETHlargementPill-r2.exe" /SPAWNWND=$30174 /NOTIFYWND=$30174 | C:\Users\admin\Desktop\ETHlargementPill-r2.exe | ETHlargementPill-r2.exe | |
User: admin Company: Integrity Level: HIGH Description: Setup/Uninstall Exit code: 1 Version: 51.1052.0.0 | ||||
| 3184 | "C:\Users\admin\Desktop\ETHlargementPill-r2.exe" /VERYSILENT | C:\Users\admin\Desktop\ETHlargementPill-r2.exe | ETHlargementPill-r2.exe | |
User: admin Company: Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
| 2928 | "C:\Users\admin\AppData\Local\Temp\TaskAudio Driver.exe" | C:\Users\admin\AppData\Local\Temp\TaskAudio Driver.exe | — | ETHlargementPill-r2.exe |
User: admin Integrity Level: HIGH | ||||
| 2572 | "C:\Windows\system32\notepad.exe" | C:\Windows\system32\notepad.exe | — | TaskAudio Driver.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2072 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | notepad.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 1464 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | notepad.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 960 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | notepad.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2560 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | notepad.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
Total events
722
Read events
692
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
0
Text files
1
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1120.45820\README.md | — | |
MD5:— | SHA256:— | |||
| 1120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1120.45820\ETHlargementPill-r2.exe | — | |
MD5:— | SHA256:— | |||
| 1120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1120.45820\OhGodAnETHlargementPill-r2 | — | |
MD5:— | SHA256:— | |||
| 1120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1120.45820\ETHlargementPill-r2-0.bin | — | |
MD5:— | SHA256:— | |||
| 1120 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1120.45820\ETHlargementPill-r2-1.bin | — | |
MD5:— | SHA256:— | |||
| 3184 | ETHlargementPill-r2.exe | C:\Users\admin\AppData\Local\Temp\is-H9LPG.tmp | — | |
MD5:— | SHA256:— | |||
| 3184 | ETHlargementPill-r2.exe | C:\Users\admin\AppData\Local\Temp\is-OGN66.tmp | — | |
MD5:— | SHA256:— | |||
| 3184 | ETHlargementPill-r2.exe | C:\Users\admin\AppData\Local\Temp\is-2K38R.tmp | — | |
MD5:— | SHA256:— | |||
| 3184 | ETHlargementPill-r2.exe | C:\Users\admin\AppData\Local\Temp\is-FH16D.tmp | — | |
MD5:— | SHA256:— | |||
| 3184 | ETHlargementPill-r2.exe | C:\Users\admin\AppData\Local\Temp\OhGodAnETHlargementPill-r2 | o | |
MD5:90075AE438C3445B8B688519171D65A0 | SHA256:6F731C2372FAF51B26ADC96D4E8A1437A515F4F78DE8AD1AB81E63BF6D60056A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 151.101.12.193:443 | i.imgur.com | Fastly | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
i.imgur.com |
| shared |