Resubmissions

24-11-2020 01:58

201124-tw7v7kcpdj 10

24-11-2020 01:49

201124-ecm49wfmgj 10

24-11-2020 01:44

201124-6y8xb2pmc6 10

Analysis

  • max time kernel
    102s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    24-11-2020 01:58

General

  • Target

    winrar-x64-591.exe

  • Size

    3.1MB

  • MD5

    779b1a96f1da4a1af90eecf940dd6d07

  • SHA1

    3f077891cddd60f7770067f044ddf56ea73d699d

  • SHA256

    58bb4399d28df01f90e1d0c5b2cf734dc53557d543354de3ce14fa6f6931c58a

  • SHA512

    ae37b7b3647e63ccafb98b87d14d7cd02855c06bd6b7cdbcd00db85b65d40bd8a5e95bafb859d1fbd01fe832b3ba1b910ed68bcaaf56a96d47d317292bdc2488

Score
10/10

Malware Config

Signatures

  • Modifies system executable filetype association 2 TTPs 8 IoCs
  • Registers COM server for autorun 1 TTPs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • JavaScript code in executable 1 IoCs
  • Drops file in Program Files directory 47 IoCs
  • Modifies registry class 171 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\winrar-x64-591.exe
    "C:\Users\Admin\AppData\Local\Temp\winrar-x64-591.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3944
    • C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:932
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3140
    • C:\Windows\system32\compattelrunner.exe
      C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
      1⤵
        PID:1840

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Change Default File Association

      1
      T1042

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\WinRAR\Rar.txt
        MD5

        a8f8c90f6509564bd57daad2edce30aa

        SHA1

        406b0aa8b39a623920f4836a5f697cfcc805f4c0

        SHA256

        96e36b573501a985de0657fcb0ae37cedadee032e9bd85169c5950332710d8af

        SHA512

        c5eb24d4f91f838fbf0f3aa0d3641271e1b7fda152316308b510fe0f8195fbd69a81e45a7d1184db2a36e94933a6bc13a05c728b9cef736fbb706294edb30ece

      • C:\Program Files\WinRAR\Uninstall.exe
        MD5

        2224e053b0ba6170bd050c2bfb6804e9

        SHA1

        d5ab5c7b043e21c3da3885fd37864d90abcdeca5

        SHA256

        036230fa3d92bbeadb0dd0271a5ccd4d0be11cdcb35e7a1ec40c1defc24ff8b6

        SHA512

        0577d78b2e273bc505df99ce4c324a803a36f20b620a6e10484cf2ff5f3a73825a51e34138a7b20d2d0aff6a048373121240e64d1cff4a4cf4be002603398de0

      • C:\Program Files\WinRAR\WhatsNew.txt
        MD5

        bb536f2fecbb4dea479b604e8f481b2c

        SHA1

        e1ddb46fa1645c4bd7a24aed2ed05af6f20b5125

        SHA256

        2f34c18824209e8999cc226f77d270743484ac824c7583438cc49789e8abf71e

        SHA512

        65b063986e600a776838d596f8610c6b4f4dc161dbf7fc7e081c5509879dcb7a851682ca7c413be57cb5ea11876981d02bcd45e6141cb39ed65a759d22054445

      • C:\Program Files\WinRAR\WinRAR.chm
        MD5

        e2ea440ef0271f7fd713d24e38bd00b5

        SHA1

        59bbee257325208db81f708be6cd4cac39e01479

        SHA256

        ff85d20a9b7f3109a6a47d753ee96b350ca573947f63169c8aee9a552afd4a09

        SHA512

        45dee1c29390211e09f1eee89f8b0f5b33394649a3eb1fd227b41b21f751eeccdb4ec91b2c1465d6985f56afa25396dc68b73cd5233f8a3898f17ebda33d7031

      • C:\Program Files\WinRAR\WinRAR.exe
        MD5

        715065f9adf100230afcb91d99316050

        SHA1

        be63a0681dfd56ddffb7aa1bf81f674bca7ba25e

        SHA256

        9066f0bca50feae501b3d182de580a4e1159aec2d6ee01dcda043c02f79d741e

        SHA512

        e85ff82facbaba904abef9c133098c64cdb9205d99dcd57532965c0157be09c08a755a718984165d681f45a92a8cc4eb8f0774e53b13d02171401873269c8a4e

      • C:\Program Files\WinRAR\uninstall.exe
        MD5

        2224e053b0ba6170bd050c2bfb6804e9

        SHA1

        d5ab5c7b043e21c3da3885fd37864d90abcdeca5

        SHA256

        036230fa3d92bbeadb0dd0271a5ccd4d0be11cdcb35e7a1ec40c1defc24ff8b6

        SHA512

        0577d78b2e273bc505df99ce4c324a803a36f20b620a6e10484cf2ff5f3a73825a51e34138a7b20d2d0aff6a048373121240e64d1cff4a4cf4be002603398de0

      • \Program Files\WinRAR\RarExt.dll
        MD5

        76ea3b599daf05d19ca7bfb94497347d

        SHA1

        4b0f18a0acc434df0907dab5be2de1ca70e3560a

        SHA256

        8990ae8c5d6bdc7dd63162d50eb8f2789957a4aa72d908e6107f36d7b1486441

        SHA512

        c82ae8f0dd32a030691249eaeb5fc74485992e7f06143b934d6d00b05bc42d1e8b8d527a94d6d5240b731ee38f8b927337add72fb454c48d9005ebb1c05b43c5

      • memory/932-1-0x0000000000000000-mapping.dmp
      • memory/932-8-0x000001B367310000-0x000001B367311000-memory.dmp
        Filesize

        4KB