58bb4399d28df01f90e1d0c5b2cf734dc53557d543354de3ce14fa6f6931c58a

General

Target

winrar-x64-591.exe
Size

3.1MB
MD5

779b1a96f1da4a1af90eecf940dd6d07
SHA1

3f077891cddd60f7770067f044ddf56ea73d699d
SHA256

58bb4399d28df01f90e1d0c5b2cf734dc53557d543354de3ce14fa6f6931c58a
SHA512

ae37b7b3647e63ccafb98b87d14d7cd02855c06bd6b7cdbcd00db85b65d40bd8a5e95bafb859d1fbd01fe832b3ba1b910ed68bcaaf56a96d47d317292bdc2488

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 1 IoCs

Processes:

uninstall.exe

pid process

1932 uninstall.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1932	uninstall.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\WinRAR\WhatsNew.txt	js

Drops file in Program Files directory 48 IoCs

Processes:

winrar-x64-591.exeuninstall.exe

description	ioc	process
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259285531	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-591.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-591.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe

Modifies registry class 206 IoCs

Processes:

uninstall.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r29	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

winrar-x64-591.exeuninstall.exe

pid process

796 winrar-x64-591.exe
796 winrar-x64-591.exe
1932 uninstall.exe

pid	process
796	winrar-x64-591.exe
796	winrar-x64-591.exe
1932	uninstall.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

winrar-x64-591.exe

description	pid	process	target process
PID 796 wrote to memory of 1932	796	winrar-x64-591.exe	uninstall.exe
PID 796 wrote to memory of 1932	796	winrar-x64-591.exe	uninstall.exe

C:\Users\Admin\AppData\Local\Temp\winrar-x64-591.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64-591.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796

C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt
MD5
a8f8c90f6509564bd57daad2edce30aa

SHA1
406b0aa8b39a623920f4836a5f697cfcc805f4c0

SHA256
96e36b573501a985de0657fcb0ae37cedadee032e9bd85169c5950332710d8af

SHA512
c5eb24d4f91f838fbf0f3aa0d3641271e1b7fda152316308b510fe0f8195fbd69a81e45a7d1184db2a36e94933a6bc13a05c728b9cef736fbb706294edb30ece

Download Submit
C:\Program Files\WinRAR\Uninstall.exe
MD5
2224e053b0ba6170bd050c2bfb6804e9

SHA1
d5ab5c7b043e21c3da3885fd37864d90abcdeca5

SHA256
036230fa3d92bbeadb0dd0271a5ccd4d0be11cdcb35e7a1ec40c1defc24ff8b6

SHA512
0577d78b2e273bc505df99ce4c324a803a36f20b620a6e10484cf2ff5f3a73825a51e34138a7b20d2d0aff6a048373121240e64d1cff4a4cf4be002603398de0

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt
MD5
bb536f2fecbb4dea479b604e8f481b2c

SHA1
e1ddb46fa1645c4bd7a24aed2ed05af6f20b5125

SHA256
2f34c18824209e8999cc226f77d270743484ac824c7583438cc49789e8abf71e

SHA512
65b063986e600a776838d596f8610c6b4f4dc161dbf7fc7e081c5509879dcb7a851682ca7c413be57cb5ea11876981d02bcd45e6141cb39ed65a759d22054445

Download Submit
C:\Program Files\WinRAR\WinRAR.chm
MD5
e2ea440ef0271f7fd713d24e38bd00b5

SHA1
59bbee257325208db81f708be6cd4cac39e01479

SHA256
ff85d20a9b7f3109a6a47d753ee96b350ca573947f63169c8aee9a552afd4a09

SHA512
45dee1c29390211e09f1eee89f8b0f5b33394649a3eb1fd227b41b21f751eeccdb4ec91b2c1465d6985f56afa25396dc68b73cd5233f8a3898f17ebda33d7031

Download Submit
C:\Program Files\WinRAR\WinRAR.exe
MD5
715065f9adf100230afcb91d99316050

SHA1
be63a0681dfd56ddffb7aa1bf81f674bca7ba25e

SHA256
9066f0bca50feae501b3d182de580a4e1159aec2d6ee01dcda043c02f79d741e

SHA512
e85ff82facbaba904abef9c133098c64cdb9205d99dcd57532965c0157be09c08a755a718984165d681f45a92a8cc4eb8f0774e53b13d02171401873269c8a4e

Download Submit
C:\Program Files\WinRAR\uninstall.exe
MD5
2224e053b0ba6170bd050c2bfb6804e9

SHA1
d5ab5c7b043e21c3da3885fd37864d90abcdeca5

SHA256
036230fa3d92bbeadb0dd0271a5ccd4d0be11cdcb35e7a1ec40c1defc24ff8b6

SHA512
0577d78b2e273bc505df99ce4c324a803a36f20b620a6e10484cf2ff5f3a73825a51e34138a7b20d2d0aff6a048373121240e64d1cff4a4cf4be002603398de0

Download Submit
memory/1932-0-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads