banload | 03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae

Analysis

max time kernel
146s
max time network
87s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Size

3.3MB
MD5

6b92231989ecee7ef9e56c3302b30b01
SHA1

165c4b79ea8dd05ae7a3f9bd3f53bd1938df5252
SHA256

03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae
SHA512

59406f2bef642a7ed41da5d45aa2ac14b6bac991be4e1162c5cb8604441a9d61c0b7dc4f4bdad92aff96477e9de4cbf5605dc66a5804821e8cbd7d17a40025eb
SSDEEP

98304:wXz+3XYfN8kLukg6EtXn4y+GiN59CnGSV9T4GMvx:4KHYfN7LYdn4ldN7SVF4GMvx

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

winrar.exewinzip.exewinrar.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winrar.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winzip.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winrar.exe

Executes dropped EXE 6 IoCs

Processes:

winrar.exewinrar.exewinzip.exewinzip.exewinrar.exewinrar.exe

pid process

1676 winrar.exe
1320 winrar.exe
928 winzip.exe
1004 winzip.exe
896 winrar.exe
632 winrar.exe

pid	process
1676	winrar.exe
1320	winrar.exe
928	winzip.exe
1004	winzip.exe
896	winrar.exe
632	winrar.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winrar.exewinzip.exewinrar.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winrar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winrar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winzip.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winzip.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winrar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winrar.exe

Loads dropped DLL 3 IoCs

Processes:

03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe

pid	process
2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

Processes:

03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exewinrar.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\WinRar\WinRar\winrar.exe	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
File opened for modification	C:\Program Files (x86)\WinRar\WinRar\winzip.exe	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
File opened for modification	C:\Program Files (x86)\WinRar\WinRar\oops.exe	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
File opened for modification	C:\Program Files (x86)\WinRar\WinRar\error.vbs	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
File created	C:\Program Files (x86)\temp\winrar.exe	winrar.exe
File opened for modification	C:\Program Files (x86)\temp\winrar.exe	winrar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

winrar.exewinzip.exewinrar.exe03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\InprocServer32	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\edfxlo = "]XiOtwxXXAepKK]vXJHkG"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\kJVljdjmco = "xJk\|\|BnAw]uH\x7feFdWWse\|OgMV\\yBQLsv"	winzip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\edmj = "o`QEsQZq_Nba~otu`vn"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\ = "IP Security Monitor"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\tuub = "_\\BKX\|NU_sN@blmAp"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\spqhyuJqyxZ = "\|"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\spqhyuJqyxZ = "H"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\edmj = "o`QEsQZq_Nba~otu`vn"	winzip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\kJVljdjmco = "lVCTfhjqPLiAzL~a}@CaDEQIjRiL@MJS"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\edfxlo = "]XiOtwxXXAepHK]vXJHkD"	winrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\tuub = "_\\BKX\|NU_sN@blmAp"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\spqhyuJqyxZ = "ajYf\\T~zDLB@"	winzip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\edfxlo = "]XiOtwxXXAepHK]vXJHkD"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\myps = "lLMBFYaXvHKPtcnSTAMTSxn"	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\edmj = "LeRD\x7foQ@RkrD\|eiFq`S"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\smcacLnrvz = "g~\x7f}]aCcmemuXcdrUz"	winrar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbf	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell\open\command\ = "C:\\Program Files (x86)\\WinRar\\WinRar\\oops.exe \"%1\""	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\smcacLnrvz = "g~\x7f}]aCamemuXmfdMw"	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\kJVljdjmco = "xJk\|\|BnAw]uH\x7feFdWWse\|OgMV\\yBQLsv"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\smcacLnrvz = "g~\x7f}]aC`memuXneH}~"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\spqhyuJqyxZ = "T"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\smcacLnrvz = "g~\\~YKdL\\GDzLx]pDL"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\edfxlo = "CKrQGSVVxDVTWfuAVT}Ut"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\smcacLnrvz = "GFhFW`ci^xoBgOqcO]"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\smcacLnrvz = "GFKESJDDoZFMsZJwFf"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\dfPXct = "fyUB{B_S^UyniQSzxtooT]yK^CPV"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\myps = "lLMBFYaXvHKPtcnSTAMTSxn"	winzip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\spqhyuJqyxZ = "[TpmO}vQ\\O\|p"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\edmj = "LeRD\x7foQ@RkrD\|eiFq`S"	winzip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\edfxlo = "]XiOtwxXXAepIK]vXJHkE"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\spqhyuJqyxZ = "_TpmO}ryY`}@"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\spqhyuJqyxZ = "ijYf\\TNUkCR@"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\dfPXct = "fwkO^YxkmBZXeWiDhdnoEVx_hYs@"	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\smcacLnrvz = "GFKESJDEoZFMsYI[vo"	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\tuub = "fdyR[P\|tZplf_wiyb"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\spqhyuJqyxZ = "ejYf\\TzRAcCp"	winzip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\DefaultIcon	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\dfPXct = "fwkO^YxkmBZXeWiDhdnoEVx_hYs@"	winzip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\spqhyuJqyxZ = "WTpmO}BVvom@"	winzip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\dfPXct = "fyUB{B_S^UyniQSzxtooT]yK^CPV"	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\tuub = "fdyR[P\|tZplf_wiyb"	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\edfxlo = "CKrQGSVVxDVTUfuAVT}Uv"	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\spqhyuJqyxZ = "t"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cbf\ = "cbffile"	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell\open\command	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\shell\open	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\InprocServer32\ = "C:\\Windows\\SysWOW64\\ipsmsnap.dll"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\InprocServer32\ThreadingModel = "both"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\myps = "Hvf{\|kdsqJU}eI{yJ\|hk@Sg"	winzip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\edfxlo = "CKrQGSVVxDVTTfuAVT}Uw"	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\spqhyuJqyxZ = "@"	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\spqhyuJqyxZ = "h"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cbffile\DefaultIcon\ = "C:\\Program Files (x86)\\WinRar\\WinRar\\oops.exe,0"	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\spqhyuJqyxZ = "mjYf\\TbWNc]P"	winzip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}	winrar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\{4091E799-A708-13D1-B2E4-0060975B8649}\edfxlo = "CKrQGSVVxDVTTfuAVT}Uw"	winzip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\myps = "Hvf{\|kdsqJU}eI{yJ\|hk@Sg"	winrar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\kJVljdjmco = "lVCTfhjqPLiAzL~a}@CaDEQIjRiL@MJS"	winzip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F1B81B0B-524A-556C-4EF3-A278C0AE8EFB}\spqhyuJqyxZ = "STpmO}nTSObP"	winzip.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

winrar.exe

pid process

1320 winrar.exe

pid	process
1320	winrar.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

winrar.exewinzip.exewinrar.exe

description	pid	process
Token: 33	1320	winrar.exe
Token: SeIncBasePriorityPrivilege	1320	winrar.exe
Token: 33	1320	winrar.exe
Token: SeIncBasePriorityPrivilege	1320	winrar.exe
Token: 33	1004	winzip.exe
Token: SeIncBasePriorityPrivilege	1004	winzip.exe
Token: 33	1004	winzip.exe
Token: SeIncBasePriorityPrivilege	1004	winzip.exe
Token: 33	632	winrar.exe
Token: SeIncBasePriorityPrivilege	632	winrar.exe
Token: 33	632	winrar.exe
Token: SeIncBasePriorityPrivilege	632	winrar.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exewinrar.exewinzip.exe

description	pid	process	target process
PID 2028 wrote to memory of 1676	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	winrar.exe
PID 2028 wrote to memory of 1676	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	winrar.exe
PID 2028 wrote to memory of 1676	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	winrar.exe
PID 2028 wrote to memory of 1676	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 2028 wrote to memory of 928	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	winzip.exe
PID 2028 wrote to memory of 928	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	winzip.exe
PID 2028 wrote to memory of 928	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	winzip.exe
PID 2028 wrote to memory of 928	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	winzip.exe
PID 928 wrote to memory of 1004	928	winzip.exe	winzip.exe
PID 928 wrote to memory of 1004	928	winzip.exe	winzip.exe
PID 928 wrote to memory of 1004	928	winzip.exe	winzip.exe
PID 928 wrote to memory of 1004	928	winzip.exe	winzip.exe
PID 928 wrote to memory of 1004	928	winzip.exe	winzip.exe
PID 928 wrote to memory of 1004	928	winzip.exe	winzip.exe
PID 2028 wrote to memory of 1652	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	WScript.exe
PID 2028 wrote to memory of 1652	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	WScript.exe
PID 2028 wrote to memory of 1652	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	WScript.exe
PID 2028 wrote to memory of 1652	2028	03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe	WScript.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 928 wrote to memory of 1004	928	winzip.exe	winzip.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe
PID 1676 wrote to memory of 1320	1676	winrar.exe	winrar.exe

C:\Users\Admin\AppData\Local\Temp\03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe
"C:\Users\Admin\AppData\Local\Temp\03972156b5539d2d6f4a54d148d0675b1854affb6962ff45eb050fa2949de1ae.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\WinRar\WinRar\winrar.exe
"C:\Program Files (x86)\WinRar\WinRar\winrar.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676

C:\Program Files (x86)\WinRar\WinRar\winrar.exe
"C:\Program Files (x86)\WinRar\WinRar\winrar.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Program Files (x86)\WinRar\WinRar\winrar.exe
"C:\Program Files (x86)\WinRar\WinRar\winrar.exe" runas
4⤵
- Executes dropped EXE
PID:896

C:\Program Files (x86)\WinRar\WinRar\winrar.exe
"C:\Program Files (x86)\WinRar\WinRar\winrar.exe" runas
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Program Files (x86)\WinRar\WinRar\winzip.exe
"C:\Program Files (x86)\WinRar\WinRar\winzip.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928

C:\Program Files (x86)\WinRar\WinRar\winzip.exe
"C:\Program Files (x86)\WinRar\WinRar\winzip.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\WinRar\WinRar\error.vbs"
2⤵
PID:1652

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinRar\WinRar\error.vbs
Filesize
143B

MD5
e607596ab74fe74b9476affbdd6c1b13

SHA1
e3b6975f483da4a24c729cb37e5421184dc63392

SHA256
82668703d21f77ba26104eb17ce4def042a11981cd0c403294a9a1b0091940fd

SHA512
ed0713b0945e7c5aed88baedfec9c16214078d27325a722792e2726677e0f3c819d0ab0c22c14a354c4b5ed8bdd58829f057a52253759a1b27ce8d6cbf240cf3

Download Submit
C:\Program Files (x86)\WinRar\WinRar\winrar.exe
Filesize
2.4MB

MD5
db7b170646af4bee6bdab96e9a4bf0ed

SHA1
1279e5847dc4f852e627532933cb3b062d930b68

SHA256
75dc5bf910b3abdfa429183a3bac70f1b59b1ac7d5b5af1567da163eb1e110f4

SHA512
e8e02da91682b68a7c1f7ac72db090288beedbb1fd934dac08d042714adfb8de46055cef4fc1badb5d34fa495db999b06a72001fe014e94770ff3a21f15104af

Download Submit
C:\Program Files (x86)\WinRar\WinRar\winrar.exe
Filesize
2.4MB

MD5
db7b170646af4bee6bdab96e9a4bf0ed

SHA1
1279e5847dc4f852e627532933cb3b062d930b68

SHA256
75dc5bf910b3abdfa429183a3bac70f1b59b1ac7d5b5af1567da163eb1e110f4

SHA512
e8e02da91682b68a7c1f7ac72db090288beedbb1fd934dac08d042714adfb8de46055cef4fc1badb5d34fa495db999b06a72001fe014e94770ff3a21f15104af

Download Submit
C:\Program Files (x86)\WinRar\WinRar\winrar.exe
Filesize
2.4MB

MD5
db7b170646af4bee6bdab96e9a4bf0ed

SHA1
1279e5847dc4f852e627532933cb3b062d930b68

SHA256
75dc5bf910b3abdfa429183a3bac70f1b59b1ac7d5b5af1567da163eb1e110f4

SHA512
e8e02da91682b68a7c1f7ac72db090288beedbb1fd934dac08d042714adfb8de46055cef4fc1badb5d34fa495db999b06a72001fe014e94770ff3a21f15104af

Download Submit
C:\Program Files (x86)\WinRar\WinRar\winrar.exe
Filesize
2.4MB

MD5
db7b170646af4bee6bdab96e9a4bf0ed

SHA1
1279e5847dc4f852e627532933cb3b062d930b68

SHA256
75dc5bf910b3abdfa429183a3bac70f1b59b1ac7d5b5af1567da163eb1e110f4

SHA512
e8e02da91682b68a7c1f7ac72db090288beedbb1fd934dac08d042714adfb8de46055cef4fc1badb5d34fa495db999b06a72001fe014e94770ff3a21f15104af

Download Submit
C:\Program Files (x86)\WinRar\WinRar\winrar.exe
Filesize
2.4MB

MD5
db7b170646af4bee6bdab96e9a4bf0ed

SHA1
1279e5847dc4f852e627532933cb3b062d930b68

SHA256
75dc5bf910b3abdfa429183a3bac70f1b59b1ac7d5b5af1567da163eb1e110f4

SHA512
e8e02da91682b68a7c1f7ac72db090288beedbb1fd934dac08d042714adfb8de46055cef4fc1badb5d34fa495db999b06a72001fe014e94770ff3a21f15104af

Download Submit
C:\Program Files (x86)\WinRar\WinRar\winzip.exe
Filesize
1.8MB

MD5
ad2f0e83f85c90b816c3e129d5ba619e

SHA1
4394a058e5a0879452d6af1ae63d702ff07dbf08

SHA256
4a24f422f010122bde91c5cb6825a7fdcefa01a9b6fe2e8c9d3239a031558b10

SHA512
ef26ef74c392dc403747241172156cef414c6b36ad82b1d72ce44f2ca4dcf495fdc07f54ef12be0e44683456e3cb8c10aea78029af243d31f63093301a329424

Download Submit
C:\Program Files (x86)\WinRar\WinRar\winzip.exe
Filesize
1.8MB

MD5
ad2f0e83f85c90b816c3e129d5ba619e

SHA1
4394a058e5a0879452d6af1ae63d702ff07dbf08

SHA256
4a24f422f010122bde91c5cb6825a7fdcefa01a9b6fe2e8c9d3239a031558b10

SHA512
ef26ef74c392dc403747241172156cef414c6b36ad82b1d72ce44f2ca4dcf495fdc07f54ef12be0e44683456e3cb8c10aea78029af243d31f63093301a329424

Download Submit
C:\Program Files (x86)\WinRar\WinRar\winzip.exe
Filesize
1.8MB

MD5
ad2f0e83f85c90b816c3e129d5ba619e

SHA1
4394a058e5a0879452d6af1ae63d702ff07dbf08

SHA256
4a24f422f010122bde91c5cb6825a7fdcefa01a9b6fe2e8c9d3239a031558b10

SHA512
ef26ef74c392dc403747241172156cef414c6b36ad82b1d72ce44f2ca4dcf495fdc07f54ef12be0e44683456e3cb8c10aea78029af243d31f63093301a329424

Download Submit
C:\ProgramData\TEMP\RAIDTest
Filesize
4B

MD5
959dedb23f3421e58d16c60eff6a367b

SHA1
7bdb5d6220d393c9020ba05bedeedb7fbb31b6ab

SHA256
205549d84f02f8d00a6547a0259b5ce7728d3af0a248cac8a6d3fcda2b287ce0

SHA512
c8151442fb6e2f0437550eb3e99f696f9fbd41230ee47d5de41223e2ad62e23bc1e7a05afb05d4a978b147f313fc9220282619d9b0dee594644573be22fbb491

Download Submit
C:\Users\Admin\AppData\Local\Temp\4091E799.TMP
Filesize
118B

MD5
a33a9cad96fdbc52a9ad88bf3b5c9e8d

SHA1
19febcaf0ddffd2c77fb42644b9ca5ceaf839675

SHA256
f8920663d5c00f8348b692d8b8603103c80e0ec3207173f63f215d4ec69a287b

SHA512
0d66c482193b17fd0e3fa0d27d4e876ebaaa371ad39f871500c861e496021017641812a82b4534012387ac417d91e59dfeced725915f56fa2362fc0ba4572000

Download Submit
\Program Files (x86)\WinRar\WinRar\winrar.exe
Filesize
2.4MB

MD5
db7b170646af4bee6bdab96e9a4bf0ed

SHA1
1279e5847dc4f852e627532933cb3b062d930b68

SHA256
75dc5bf910b3abdfa429183a3bac70f1b59b1ac7d5b5af1567da163eb1e110f4

SHA512
e8e02da91682b68a7c1f7ac72db090288beedbb1fd934dac08d042714adfb8de46055cef4fc1badb5d34fa495db999b06a72001fe014e94770ff3a21f15104af

Download Submit
\Program Files (x86)\WinRar\WinRar\winrar.exe
Filesize
2.4MB

MD5
db7b170646af4bee6bdab96e9a4bf0ed

SHA1
1279e5847dc4f852e627532933cb3b062d930b68

SHA256
75dc5bf910b3abdfa429183a3bac70f1b59b1ac7d5b5af1567da163eb1e110f4

SHA512
e8e02da91682b68a7c1f7ac72db090288beedbb1fd934dac08d042714adfb8de46055cef4fc1badb5d34fa495db999b06a72001fe014e94770ff3a21f15104af

Download Submit
\Program Files (x86)\WinRar\WinRar\winzip.exe
Filesize
1.8MB

MD5
ad2f0e83f85c90b816c3e129d5ba619e

SHA1
4394a058e5a0879452d6af1ae63d702ff07dbf08

SHA256
4a24f422f010122bde91c5cb6825a7fdcefa01a9b6fe2e8c9d3239a031558b10

SHA512
ef26ef74c392dc403747241172156cef414c6b36ad82b1d72ce44f2ca4dcf495fdc07f54ef12be0e44683456e3cb8c10aea78029af243d31f63093301a329424

Download Submit
memory/632-509-0x0000000000000000-mapping.dmp

Download
memory/632-521-0x00000000024A0000-0x00000000026AC000-memory.dmp

Filesize
2.0MB

Download
memory/632-522-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/896-505-0x0000000000000000-mapping.dmp

Download
memory/896-510-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/928-116-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/928-73-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/928-69-0x0000000000000000-mapping.dmp

Download
memory/1004-109-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1004-117-0x00000000027B0000-0x00000000029BC000-memory.dmp

Filesize
2.0MB

Download
memory/1004-88-0x00000000027B0000-0x00000000029BC000-memory.dmp

Filesize
2.0MB

Download
memory/1004-94-0x00000000027B0000-0x00000000029BC000-memory.dmp

Filesize
2.0MB

Download
memory/1004-115-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1004-85-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1004-105-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1004-114-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/1004-110-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1004-104-0x00000000027B0000-0x00000000029BC000-memory.dmp

Filesize
2.0MB

Download
memory/1004-72-0x0000000000000000-mapping.dmp

Download
memory/1004-82-0x0000000000519000-0x000000000051A000-memory.dmp

Filesize
4KB

Download
memory/1320-122-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/1320-140-0x0000000000428000-0x0000000000429000-memory.dmp

Filesize
4KB

Download
memory/1320-100-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1320-99-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1320-61-0x0000000000000000-mapping.dmp

Download
memory/1320-87-0x0000000002640000-0x000000000284C000-memory.dmp

Filesize
2.0MB

Download
memory/1320-86-0x0000000002640000-0x000000000284C000-memory.dmp

Filesize
2.0MB

Download
memory/1320-120-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1320-121-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/1320-123-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/1320-513-0x0000000002640000-0x000000000284C000-memory.dmp

Filesize
2.0MB

Download
memory/1320-124-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/1320-125-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/1320-126-0x000000000040D000-0x000000000040E000-memory.dmp

Filesize
4KB

Download
memory/1320-127-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/1320-128-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/1320-129-0x0000000000409000-0x000000000040A000-memory.dmp

Filesize
4KB

Download
memory/1320-130-0x000000000040F000-0x0000000000410000-memory.dmp

Filesize
4KB

Download
memory/1320-131-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/1320-132-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1320-133-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/1320-134-0x000000000041B000-0x000000000041C000-memory.dmp

Filesize
4KB

Download
memory/1320-135-0x0000000000414000-0x0000000000415000-memory.dmp

Filesize
4KB

Download
memory/1320-136-0x0000000000413000-0x0000000000414000-memory.dmp

Filesize
4KB

Download
memory/1320-137-0x0000000000415000-0x0000000000416000-memory.dmp

Filesize
4KB

Download
memory/1320-138-0x0000000000426000-0x0000000000427000-memory.dmp

Filesize
4KB

Download
memory/1320-139-0x0000000000427000-0x0000000000428000-memory.dmp

Filesize
4KB

Download
memory/1320-101-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1320-141-0x000000000041E000-0x000000000041F000-memory.dmp

Filesize
4KB

Download
memory/1320-142-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/1320-143-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/1320-144-0x0000000000445000-0x0000000000446000-memory.dmp

Filesize
4KB

Download
memory/1320-145-0x000000000044B000-0x000000000044C000-memory.dmp

Filesize
4KB

Download
memory/1320-146-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/1320-147-0x0000000000417000-0x0000000000418000-memory.dmp

Filesize
4KB

Download
memory/1320-148-0x0000000000446000-0x0000000000447000-memory.dmp

Filesize
4KB

Download
memory/1320-149-0x0000000000429000-0x000000000042A000-memory.dmp

Filesize
4KB

Download
memory/1320-150-0x000000000042C000-0x000000000042D000-memory.dmp

Filesize
4KB

Download
memory/1320-151-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1320-152-0x000000000042A000-0x000000000042B000-memory.dmp

Filesize
4KB

Download
memory/1320-153-0x000000000040A000-0x000000000040B000-memory.dmp

Filesize
4KB

Download
memory/1320-154-0x000000000042B000-0x000000000042C000-memory.dmp

Filesize
4KB

Download
memory/1320-155-0x000000000042D000-0x000000000042E000-memory.dmp

Filesize
4KB

Download
memory/1320-156-0x0000000000442000-0x0000000000443000-memory.dmp

Filesize
4KB

Download
memory/1320-67-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1320-75-0x0000000002640000-0x000000000284C000-memory.dmp

Filesize
2.0MB

Download
memory/1652-95-0x0000000000000000-mapping.dmp

Download
memory/1676-508-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1676-66-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1676-57-0x0000000000000000-mapping.dmp

Download
memory/2028-65-0x00000000030A0000-0x00000000033B0000-memory.dmp

Filesize
3.1MB

Download
memory/2028-64-0x00000000030A0000-0x00000000033B0000-memory.dmp

Filesize
3.1MB

Download
memory/2028-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/2028-84-0x00000000030A0000-0x00000000032EA000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads