analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

raid_tool - alphascript.zip

Full analysis: https://app.any.run/tasks/be810ffc-2a94-422a-bb84-39f92a4e7b07
Verdict: Malicious activity
Analysis date: October 19, 2020, 21:49:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3E061CDB0DEA5EE253DBBDBAB76F4423

SHA1:

3871E331356B869F1F1ADD16F02B977EA97D9CB1

SHA256:

BA4563BF28A50601E88C1F412D359B94F407E8A49E23CEB651D81445E9C56320

SSDEEP:

196608:egzE5VUziCh92ESzIYsbO1m8v26jrkNDRHcthJZ409aXKNdSF88C0YwAfcjrZIVS:dz/0nzIfi1m8u6QHcthbtE2V0Y9kxjGY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • raid_tool.exe (PID: 2852)
      • raid_tool.exe (PID: 2184)
      • raid_tool.exe (PID: 3972)
      • raid_tool.exe (PID: 2940)
      • raid_tool.exe (PID: 1700)
      • raid_tool.exe (PID: 3020)
      • raid_tool.exe (PID: 964)
      • raid_tool.exe (PID: 2972)

    • Loads dropped or rewritten executable

      • raid_tool.exe (PID: 2184)
      • raid_tool.exe (PID: 2940)
      • raid_tool.exe (PID: 964)
      • raid_tool.exe (PID: 2972)

  • SUSPICIOUS

    • Loads Python modules

      • raid_tool.exe (PID: 2184)
      • raid_tool.exe (PID: 2940)
      • raid_tool.exe (PID: 964)
      • raid_tool.exe (PID: 2972)

    • Executable content was dropped or overwritten

      • raid_tool.exe (PID: 2852)
      • raid_tool.exe (PID: 3972)
      • raid_tool.exe (PID: 1700)
      • raid_tool.exe (PID: 3020)

    • Application launched itself

      • raid_tool.exe (PID: 2852)
      • raid_tool.exe (PID: 1700)
      • raid_tool.exe (PID: 3972)
      • raid_tool.exe (PID: 3020)

  • INFO

    • Manual execution by user

      • NOTEPAD.EXE (PID: 3784)
      • NOTEPAD.EXE (PID: 2896)
      • NOTEPAD.EXE (PID: 956)
      • raid_tool.exe (PID: 2852)
      • raid_tool.exe (PID: 3972)
      • NOTEPAD.EXE (PID: 2812)
      • raid_tool.exe (PID: 1700)
      • raid_tool.exe (PID: 3020)

    • Dropped object may contain Bitcoin addresses

      • raid_tool.exe (PID: 3972)
      • raid_tool.exe (PID: 2852)
      • raid_tool.exe (PID: 1700)
      • raid_tool.exe (PID: 3020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: raid_tool.exe
ZipUncompressedSize: 12028416
ZipCompressedSize: 11572330
ZipCRC: 0x3365e02f
ZipModifyDate: 2020:07:22 17:41:08
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
13
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs raid_tool.exe raid_tool.exe no specs raid_tool.exe raid_tool.exe no specs raid_tool.exe raid_tool.exe no specs raid_tool.exe raid_tool.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2520"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\raid_tool - alphascript.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2812"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ok.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2896"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ok.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
956"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ok.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3784"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ok.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2852"C:\Users\admin\Desktop\raid_tool.exe" C:\Users\admin\Desktop\raid_tool.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
2184"C:\Users\admin\Desktop\raid_tool.exe" C:\Users\admin\Desktop\raid_tool.exeraid_tool.exe
User:
admin
Integrity Level:
MEDIUM
3972"C:\Users\admin\Desktop\raid_tool.exe" C:\Users\admin\Desktop\raid_tool.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
2940"C:\Users\admin\Desktop\raid_tool.exe" C:\Users\admin\Desktop\raid_tool.exeraid_tool.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
1700"C:\Users\admin\Desktop\raid_tool.exe" C:\Users\admin\Desktop\raid_tool.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
Total events
1 444
Read events
1 424
Write events
20
Delete events
0

Modification events

(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2520) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\raid_tool - alphascript.zip
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
136
Suspicious files
12
Text files
3 708
Unknown types
8

Dropped files

PID
Process
Filename
Type
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2520.3222\raid_tool.exe
MD5:
SHA256:
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2520.3222\README.txt
MD5:
SHA256:
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2520.3222\tokens.txt
MD5:
SHA256:
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2520.3222\ok.txt
MD5:
SHA256:
2852raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI28522\_bz2.pydexecutable
MD5:0F75C236C4CCFEA1B16F132F6C139236
SHA256:5DC26DCBF58CC7F5BFDEC0BADD5240D6724DB3E34010AAF35A31876FE4057158
2852raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI28522\VCRUNTIME140.dllexecutable
MD5:4C360F78DE1F5BAAA5F110E65FAC94B4
SHA256:AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
2852raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI28522\_asyncio.pydexecutable
MD5:5435CE08F40FBE43230CAE8D3DFF232C
SHA256:79FDA30CBFC95DB2BA60646FF53DFF45B5ADD57C12241C4A82FA798CB3B543DF
2852raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI28522\_socket.pydexecutable
MD5:CEA329CE0935E99A8BC01070F07FEFAF
SHA256:D1A4D66C557C2FE7DC441614CA62E67F37EC44BEF5A762BAC41BAC15D491A930
2852raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI28522\_multiprocessing.pydexecutable
MD5:8901E96BB7A8EEAD994AF2BDF54A2447
SHA256:823A96F080A3424F4C5327CF61FF517723E19A69679EBE93EA97061063D8D593
2852raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI28522\_lzma.pydexecutable
MD5:54F12E2385A77D825AE4D41A4AC515FE
SHA256:08DE18FBA635822F3BB89C9429F175E3680B7261546430BA9E2ED09BB31F5218
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
raid_tool - alphascript.zip