936d435ddbfcaa21c9c701d8472367f0bd7992834e9dda1c8eeebf1b06ad3018

General

Target

wrar401.exe
Size

4.6MB
MD5

75e38ca41d5d7aad3812f23929b8b5f0
SHA1

4fd0c5ad493489a9741f8ec41ca4c984158ce39b
SHA256

936d435ddbfcaa21c9c701d8472367f0bd7992834e9dda1c8eeebf1b06ad3018
SHA512

cca1aa74b6b199a0b6d056686728598a015ef85df6c50aebc19e59b6b43839c3d91a0ea9323210b39bdef1fa852a58e940b099fcd68ea0c67557f7e86ddfb91c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

installer.exeinstall.exe

pid process

2012 installer.exe
2556 install.exe

pid	process
2012	installer.exe
2556	install.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wrar401.exeinstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wrar401.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	installer.exe

Drops file in System32 directory 11 IoCs

Processes:

installer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240563859	installer.exe
File created	C:\Windows\SysWOW64\wrar401.exe	installer.exe
File opened for modification	C:\Windows\SysWOW64\wrar401.exe	installer.exe
File created	C:\Windows\SysWOW64\install.pdb	installer.exe
File created	C:\Windows\SysWOW64\install.exe.config	installer.exe
File opened for modification	C:\Windows\SysWOW64\install.exe.config	installer.exe
File opened for modification	C:\Windows\SysWOW64\install.pdb	installer.exe
File created	C:\Windows\SysWOW64\install.exe	installer.exe
File opened for modification	C:\Windows\SysWOW64\install.exe	installer.exe
File created	C:\Windows\SysWOW64\Siticone.UI.dll	installer.exe
File opened for modification	C:\Windows\SysWOW64\Siticone.UI.dll	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

install.exe

description pid process

Token: SeDebugPrivilege 2556 install.exe

description	pid	process
Token: SeDebugPrivilege	2556	install.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wrar401.execmd.exeinstaller.exeinstall.exe

description	pid	process	target process
PID 1052 wrote to memory of 4304	1052	wrar401.exe	cmd.exe
PID 1052 wrote to memory of 4304	1052	wrar401.exe	cmd.exe
PID 4304 wrote to memory of 2012	4304	cmd.exe	installer.exe
PID 4304 wrote to memory of 2012	4304	cmd.exe	installer.exe
PID 4304 wrote to memory of 2012	4304	cmd.exe	installer.exe
PID 2012 wrote to memory of 2556	2012	installer.exe	install.exe
PID 2012 wrote to memory of 2556	2012	installer.exe	install.exe
PID 2556 wrote to memory of 4724	2556	install.exe	arp.exe
PID 2556 wrote to memory of 4724	2556	install.exe	arp.exe

C:\Users\Admin\AppData\Local\Temp\wrar401.exe
"C:\Users\Admin\AppData\Local\Temp\wrar401.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A5BA.tmp\A5BB.tmp\A5BC.bat C:\Users\Admin\AppData\Local\Temp\wrar401.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Temp\A5BA.tmp\installer.exe
installer.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\install.exe
"C:\Windows\System32\install.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\System32\arp.exe
"C:\Windows\System32\arp.exe" -a
5⤵
PID:4724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A5BA.tmp\A5BB.tmp\A5BC.bat
Filesize
53B

MD5
24b4606a069ed7aaa553f26822ebcb51

SHA1
b45a99b7d2616595434bc58508e15c64bf559803

SHA256
3093270c3898f401c67e18769b332f6b57328f2507d109e291b4890fb65b9e95

SHA512
1b6a0a3f8645d481e58dee90f5cc9bfa4a6f8c90cfbcf36d3dd547ace06145a7f26dd6950afe7d77aefcad317df61d0c941277d4aa5129b6d0f351cc550bd0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5BA.tmp\installer.exe
Filesize
4.7MB

MD5
36e6eb3fd16bf95570ae873050bb6eb7

SHA1
75ef13f9bebc47f3afdf811ba0d47c9979a10054

SHA256
6724f52f4651393a7a3e6350b4805d03d70ee07e53440d910526d0833cff1e6c

SHA512
2fc3159583b70b3152b79cceb7fc5d43acbfbfda542c88494feee7a72dec42f9e30cac053c07449aece817dbbefe39e439421ac1d3eb6e9fadfefaf2175cb6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5BA.tmp\installer.exe
Filesize
4.7MB

MD5
36e6eb3fd16bf95570ae873050bb6eb7

SHA1
75ef13f9bebc47f3afdf811ba0d47c9979a10054

SHA256
6724f52f4651393a7a3e6350b4805d03d70ee07e53440d910526d0833cff1e6c

SHA512
2fc3159583b70b3152b79cceb7fc5d43acbfbfda542c88494feee7a72dec42f9e30cac053c07449aece817dbbefe39e439421ac1d3eb6e9fadfefaf2175cb6a9

Download Submit
C:\Windows\SysWOW64\install.exe
Filesize
197KB

MD5
1bfe99a81e04895a39171cd9ead96b02

SHA1
a8c6c3c4278d6cca85b00590ea8d6ba3dffb474f

SHA256
4885cced8c555984ea03f00590ddbcf3a579e4ac6baafec8414ea645dc20f24c

SHA512
09f58b75f6bc0b173248b5dadae39ef2da022d0a4e4b6229925ee1157cb90212b73825fb22e4707d16c8c9a59377108aa6151bab99f26fead92db5ff1947754b

Download Submit
C:\Windows\SysWOW64\install.exe
Filesize
197KB

MD5
1bfe99a81e04895a39171cd9ead96b02

SHA1
a8c6c3c4278d6cca85b00590ea8d6ba3dffb474f

SHA256
4885cced8c555984ea03f00590ddbcf3a579e4ac6baafec8414ea645dc20f24c

SHA512
09f58b75f6bc0b173248b5dadae39ef2da022d0a4e4b6229925ee1157cb90212b73825fb22e4707d16c8c9a59377108aa6151bab99f26fead92db5ff1947754b

Download Submit
C:\Windows\SysWOW64\install.exe.config
Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
memory/2012-132-0x0000000000000000-mapping.dmp

Download
memory/2556-135-0x0000000000000000-mapping.dmp

Download
memory/2556-139-0x00000256EC2E0000-0x00000256EC316000-memory.dmp

Filesize
216KB

Download
memory/2556-141-0x00007FF901A50000-0x00007FF902511000-memory.dmp

Filesize
10.8MB

Download
memory/2556-142-0x00007FF901A50000-0x00007FF902511000-memory.dmp

Filesize
10.8MB

Download
memory/4304-130-0x0000000000000000-mapping.dmp

Download
memory/4724-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads