Analysis
-
max time kernel
130s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 11:16
General
-
Target
d8b1a5c0c766d20098a5af5ab0bb15b0f94fb996325750709532aad1b9f7fab0.exe
-
Size
2.5MB
-
MD5
014cd3b072e74479189692d7b068d67e
-
SHA1
5556f2f93ae98cdb45c8f1c03fa9ca16d8ba21cd
-
SHA256
d8b1a5c0c766d20098a5af5ab0bb15b0f94fb996325750709532aad1b9f7fab0
-
SHA512
815da85ab36b1adb9c4adb51895bdc5005b928f0ac7465e1ad5f5c86daf4c404f92a358bbf9673cffe7f4c93814a9ac26ead8bae9d503329acb190aae200f8c0
-
SSDEEP
49152:b1dlZoWMS9mY55KihPqtsdDbncedgl4NGzF2mgmEdv42gZ7KaRnPpHoM:b1dl2LSxPhyWN1gGNIUoag1KaRnRn
Malware Config
Extracted
C:\Program Files (x86)\WinRAR\Rar.txt
Signatures
-
Modifies system executable filetype association 2 TTPs 4 IoCs
-
Executes dropped EXE 7 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d8b1a5c0c766d20098a5af5ab0bb15b0f94fb996325750709532aad1b9f7fab0.exe"C:\Users\Admin\AppData\Local\Temp\d8b1a5c0c766d20098a5af5ab0bb15b0f94fb996325750709532aad1b9f7fab0.exe"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Arhack.net-virus-noir.exe"C:\Program Files\Arhack.net-virus-noir.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 2524⤵
- Program crash
-
C:\Program Files\Arhack.net-virus-noir.exe"C:\Program Files\Arhack.net-virus-noir.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\WinRar3.90.En.32Bit.exe"C:\Program Files\WinRar3.90.En.32Bit.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wrar390.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\wrar390.exe" /s4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\WinRAR\uninstall.exe"C:\Program Files (x86)\WinRAR\uninstall.exe" /setup5⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themes.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Themes.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5004 -ip 50041⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD52db7c55f9938fd01ec676c9647511821
SHA16c42179826c545b4be5111c868583af45b5bab49
SHA256a7ca54826d518354c1b217fb101257617dea14d7ec41453f764a3b4ebd51d1ca
SHA512506959be9860716ab38eed75e78d559dd2e73ab468c42e3a728065a4147eec234cee1579556ad934bb077a8455d1df1ea77c17dfe809ec3c9bccae247834b865
-
Filesize
118KB
MD5a705bb794e08877c0cdc394794c17a15
SHA1f9d61ad0daffd814bb250907b1a6890c7bd74cdc
SHA256031718c5c886af08aaa0ef6872437b9b36bf632ab4bcabae1184a87b4e16f5e3
SHA512a339b4c45395e56dc70e0d3f1de7fa42344942471dc0b7f28164911d43cd20688bc4170a4f0c0451f51f77fd4b03831cb2904b2c5437b78dad27d46689cb537c
-
Filesize
250KB
MD55f922fdb5074423768d59998a6d47cbc
SHA18360381c0092106fb0c7c6770a008ffdd6f9a245
SHA256e4c52c63a4c8541fe35205ff066e92ffe66e066029b75814dc08b9c0f9e433c1
SHA5126bcb62d884098765467875903e2826d693277ff24991500ecc5718eadfa3965989dab19ee5ffb0bc0cdf659e43d1db8525fa17ab306e6aa81055bdb961adc828
-
Filesize
1013KB
MD5b6a214bacd0c5be45c4d093032dd884b
SHA12b589ba0e7af31182d47c92b57bbd31fb79331e0
SHA256113372e0dd513fb3bb37678004f23f7d346846601a9fec6cc369b8893c4239b2
SHA5127bcdeefa9764dc87f57cba4b7dab0f6d22f5b98a8f96cc9b2af38d1126ed0c68fbaf372c177b5aecdcb1dec81513657110b728436349d369685b19f33679a549
-
Filesize
118KB
MD5a705bb794e08877c0cdc394794c17a15
SHA1f9d61ad0daffd814bb250907b1a6890c7bd74cdc
SHA256031718c5c886af08aaa0ef6872437b9b36bf632ab4bcabae1184a87b4e16f5e3
SHA512a339b4c45395e56dc70e0d3f1de7fa42344942471dc0b7f28164911d43cd20688bc4170a4f0c0451f51f77fd4b03831cb2904b2c5437b78dad27d46689cb537c
-
Filesize
52KB
MD55900fd3e57de9eb88818a81d82b589b7
SHA1d15ff0f4c904581c89066f853568a70e03196723
SHA2569d2caf5ff2f1897ac2d32a64128ef195d70c3cf8fb911c73cafdc3ef51a32e4e
SHA512757b88a887ad87ccd617bcf7dd596449a07c91478be954c1ecb22d179ccab50d1bd203d0e60030d5ce09c6a426e467da419cedb17dd37d70d42d2ef5428142db
-
Filesize
52KB
MD55900fd3e57de9eb88818a81d82b589b7
SHA1d15ff0f4c904581c89066f853568a70e03196723
SHA2569d2caf5ff2f1897ac2d32a64128ef195d70c3cf8fb911c73cafdc3ef51a32e4e
SHA512757b88a887ad87ccd617bcf7dd596449a07c91478be954c1ecb22d179ccab50d1bd203d0e60030d5ce09c6a426e467da419cedb17dd37d70d42d2ef5428142db
-
Filesize
52KB
MD55900fd3e57de9eb88818a81d82b589b7
SHA1d15ff0f4c904581c89066f853568a70e03196723
SHA2569d2caf5ff2f1897ac2d32a64128ef195d70c3cf8fb911c73cafdc3ef51a32e4e
SHA512757b88a887ad87ccd617bcf7dd596449a07c91478be954c1ecb22d179ccab50d1bd203d0e60030d5ce09c6a426e467da419cedb17dd37d70d42d2ef5428142db
-
Filesize
2.4MB
MD51efb3a4f7aeb5312629a6b1fe85b3c79
SHA14bf5a5f696a1a3779002d21c1db07e50e60cb9ad
SHA256ee70c6272a6a3c49223c40d7d1b432e596f8697f396d9d107cc3620d19d187d9
SHA5129816c26a9447ebd90d2a10c373aa2e2e5a9b1d9d6a6b4511654f324518bfcd5fa2642ea40c0fb2382038015121cb5146b0d21a6599378b137c1133e85e5a0077
-
Filesize
2.4MB
MD51efb3a4f7aeb5312629a6b1fe85b3c79
SHA14bf5a5f696a1a3779002d21c1db07e50e60cb9ad
SHA256ee70c6272a6a3c49223c40d7d1b432e596f8697f396d9d107cc3620d19d187d9
SHA5129816c26a9447ebd90d2a10c373aa2e2e5a9b1d9d6a6b4511654f324518bfcd5fa2642ea40c0fb2382038015121cb5146b0d21a6599378b137c1133e85e5a0077
-
Filesize
105KB
MD5e56af90a816be1cc677971eb5ffc8700
SHA18c7e5a9e45b4f34c9c4bad16c276abc9a38ea347
SHA256252e402ec95a7fc80cd09d700918742fdd4f98f66f62867b4eb30c92e2da5fb3
SHA5128043439f8c22bd2f46b41bdba2370538dacb7e0a1c3f28f5a6d40cfbaf7689e1927b6ac60716af412961ce5d4308c3e6be6e70736e0f019a43b6e3b1914aea4a
-
Filesize
105KB
MD5e56af90a816be1cc677971eb5ffc8700
SHA18c7e5a9e45b4f34c9c4bad16c276abc9a38ea347
SHA256252e402ec95a7fc80cd09d700918742fdd4f98f66f62867b4eb30c92e2da5fb3
SHA5128043439f8c22bd2f46b41bdba2370538dacb7e0a1c3f28f5a6d40cfbaf7689e1927b6ac60716af412961ce5d4308c3e6be6e70736e0f019a43b6e3b1914aea4a
-
Filesize
1.1MB
MD5627d65e4bcf9755563469958a9cfff01
SHA164238abcd39e53e75f02361106f4829836d4fbb7
SHA2569f947695f9aff8b1f2e3053b0d5973735a107a046516271a37d8a19b99ee2cf2
SHA5126a43873eeaedcb17f1470e934a666d336321bd5fe3ee2061b28152b18af050eb3666e186624ccbdfe1048a0c07242032bac4b3d9557d544de95ce6b0d2a4d96d
-
Filesize
1.1MB
MD5627d65e4bcf9755563469958a9cfff01
SHA164238abcd39e53e75f02361106f4829836d4fbb7
SHA2569f947695f9aff8b1f2e3053b0d5973735a107a046516271a37d8a19b99ee2cf2
SHA5126a43873eeaedcb17f1470e934a666d336321bd5fe3ee2061b28152b18af050eb3666e186624ccbdfe1048a0c07242032bac4b3d9557d544de95ce6b0d2a4d96d
-
Filesize
1.3MB
MD52e38f5b68304888fe0d9bf4f4b04c75d
SHA1f97978ee88ef01f2e3cd03ca423db67510cd0ea8
SHA25670daca199943171c9b38ae35e068c0aa4932b967c57c16c728b89e29d6f98193
SHA512e6de8376f3abb6e70cdb34b7839336822c33a42f92aeb179072111a92a50b74ebcf8cdcf4a1e76b9f6c04ddb5373bf4d968a23e2dca0633318ec4e8dfa3bb6b5
-
Filesize
1.3MB
MD52e38f5b68304888fe0d9bf4f4b04c75d
SHA1f97978ee88ef01f2e3cd03ca423db67510cd0ea8
SHA25670daca199943171c9b38ae35e068c0aa4932b967c57c16c728b89e29d6f98193
SHA512e6de8376f3abb6e70cdb34b7839336822c33a42f92aeb179072111a92a50b74ebcf8cdcf4a1e76b9f6c04ddb5373bf4d968a23e2dca0633318ec4e8dfa3bb6b5
-
Filesize
28KB
-
-
-
-
-
-
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
76KB
-