analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | raid_tool - alphascript.zip |
| Full analysis: | https://app.any.run/tasks/e4ef888d-e2d8-41c2-ab89-c6957167a9d3 |
| Verdict: | Malicious activity |
| Analysis date: | October 20, 2020, 04:03:07 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 28440286BCCC4CDA9AFF930C0DF80373 |
| SHA1: | 21C724681ADB18974894433B494CF0D3D212854B |
| SHA256: | C7DA9A493534C075BB8C3D805F9D5FFA439D58EB6F8D11D575C9501E1DBC34D2 |
| SSDEEP: | 196608:egzE5VUziCh92ESzIYsbO1m8v26jrkNDRHcthJZ409aXKNdSF88C0YwAfcjrZIVK:dz/0nzIfi1m8u6QHcthbtE2V0Y9kxjGM |
MALICIOUS
Application was dropped or rewritten from another process
- raid_tool.exe (PID: 3592)
- raid_tool.exe (PID: 2900)
- raid_tool.exe (PID: 4004)
- raid_tool.exe (PID: 3432)
Loads dropped or rewritten executable
- raid_tool.exe (PID: 4004)
- raid_tool.exe (PID: 3432)
SUSPICIOUS
Executable content was dropped or overwritten
- raid_tool.exe (PID: 3592)
- raid_tool.exe (PID: 2900)
Application launched itself
- raid_tool.exe (PID: 3592)
- raid_tool.exe (PID: 2900)
Loads Python modules
- raid_tool.exe (PID: 4004)
- raid_tool.exe (PID: 3432)
INFO
Dropped object may contain Bitcoin addresses
- raid_tool.exe (PID: 3592)
- raid_tool.exe (PID: 2900)
Manual execution by user
- raid_tool.exe (PID: 2900)
- raid_tool.exe (PID: 3592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2020:07:22 17:41:08 |
| ZipCRC: | 0x3365e02f |
| ZipCompressedSize: | 11572330 |
| ZipUncompressedSize: | 12028416 |
| ZipFileName: | raid_tool.exe |
Total processes
43
Monitored processes
5
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2224 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\raid_tool - alphascript.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
| 2900 | "C:\Users\admin\Desktop\raid_tool.exe" | C:\Users\admin\Desktop\raid_tool.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
| 3592 | "C:\Users\admin\Desktop\raid_tool.exe" | C:\Users\admin\Desktop\raid_tool.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 3221225786 | ||||
| 4004 | "C:\Users\admin\Desktop\raid_tool.exe" | C:\Users\admin\Desktop\raid_tool.exe | — | raid_tool.exe |
User: admin Integrity Level: MEDIUM | ||||
| 3432 | "C:\Users\admin\Desktop\raid_tool.exe" | C:\Users\admin\Desktop\raid_tool.exe | — | raid_tool.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221225786 | ||||
Total events
914
Read events
894
Write events
0
Delete events
0
Modification events
Executable files
68
Suspicious files
6
Text files
1 718
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2224 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2224.44903\raid_tool.exe | — | |
MD5:— | SHA256:— | |||
| 2900 | raid_tool.exe | C:\Users\admin\AppData\Local\Temp\_MEI29002\_decimal.pyd | executable | |
MD5:8601C853146A4BE85238A57C9FD56865 | SHA256:2A57023D4F355E3857187C02577FA4641A4D1DFF195196B3C33B90322EDF9FD4 | |||
| 2900 | raid_tool.exe | C:\Users\admin\AppData\Local\Temp\_MEI29002\_bz2.pyd | executable | |
MD5:0F75C236C4CCFEA1B16F132F6C139236 | SHA256:5DC26DCBF58CC7F5BFDEC0BADD5240D6724DB3E34010AAF35A31876FE4057158 | |||
| 2900 | raid_tool.exe | C:\Users\admin\AppData\Local\Temp\_MEI29002\_multiprocessing.pyd | executable | |
MD5:8901E96BB7A8EEAD994AF2BDF54A2447 | SHA256:823A96F080A3424F4C5327CF61FF517723E19A69679EBE93EA97061063D8D593 | |||
| 2900 | raid_tool.exe | C:\Users\admin\AppData\Local\Temp\_MEI29002\_cffi_backend.cp38-win32.pyd | executable | |
MD5:012DB6C90D38DB71D0647659217CA286 | SHA256:4207E3276411F75A6680EAE28D7D5ED7F6CAD946B1DE7B724440F44593267414 | |||
| 2900 | raid_tool.exe | C:\Users\admin\AppData\Local\Temp\_MEI29002\_lzma.pyd | executable | |
MD5:54F12E2385A77D825AE4D41A4AC515FE | SHA256:08DE18FBA635822F3BB89C9429F175E3680B7261546430BA9E2ED09BB31F5218 | |||
| 2900 | raid_tool.exe | C:\Users\admin\AppData\Local\Temp\_MEI29002\_hashlib.pyd | executable | |
MD5:05362ADD80824B06014645A7951337D8 | SHA256:20B3A3D3350B3D4D57911ECFDB15F77512A6E73C3BF72B410724F81C79A5B1AF | |||
| 2900 | raid_tool.exe | C:\Users\admin\AppData\Local\Temp\_MEI29002\_testcapi.pyd | executable | |
MD5:F33981092BFAE8CABF404AAB0199A979 | SHA256:5796A1D619CE13CC90B1E6EBFDDC374BE33EDBC1B3D9CB562DDD05007D6C845E | |||
| 2900 | raid_tool.exe | C:\Users\admin\AppData\Local\Temp\_MEI29002\_socket.pyd | executable | |
MD5:CEA329CE0935E99A8BC01070F07FEFAF | SHA256:D1A4D66C557C2FE7DC441614CA62E67F37EC44BEF5A762BAC41BAC15D491A930 | |||
| 2900 | raid_tool.exe | C:\Users\admin\AppData\Local\Temp\_MEI29002\VCRUNTIME140.dll | executable | |
MD5:4C360F78DE1F5BAAA5F110E65FAC94B4 | SHA256:AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report