Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-02-2023 01:21
Static task
static1
Behavioral task
behavioral1
Sample
WinRAR Portable Unplugged.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
WinRAR Portable Unplugged.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
WinRAR Portable Unplugged.exe
-
Size
2.4MB
-
MD5
73d88f68025bbc504706c743bfd29855
-
SHA1
86ba9c56c687f7c3d0c6da45b0f1aaedde849e5c
-
SHA256
37d151ab9fd61c5bfad26990c839499aa2c7eb9cd84f5effacacb4cfed425796
-
SHA512
7e96d201ed4d6e27d77dffb85062c99c259bc03d037b5fb706e2d380008e29accde494cf1c8c79ad6f6000f9b0b8758b5a301c6a9d8ebf64d7c6aa111adffa91
-
SSDEEP
49152:5uWXP3qw4WxjuUIom2f7ADTD9Jf6tmlZA6wDst9szdkuXwvPwy4GiiizFE3am:5uIvzjmom2TkTn6tqClDqszdbB6am
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\WinRAR Unplugged\Languages\en\Rar.txt
Ransom Note
User's Manual
~~~~~~~~~~~~~
RAR 3.91 console version
~~~~~~~~~~~~~~~~~~~~~~~~
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Welcome to the RAR Archiver!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Introduction
~~~~~~~~~~~~
RAR is a powerful tool allowing you to manage and control archive
files. Console RAR supports archives only in RAR format, the names
of which usually have a ".rar" extension. ZIP and other formats
are not supported. Windows users may install GUI RAR version - WinRAR,
which is able to process many more archive types.
RAR features include:
* Highly sophisticated, original compression algorithm
* Special compression algorithms optimized for text, audio,
graphics data, 32 and 64-bit Intel executables
* Better compression than similar tools, using 'solid' archiving
* Authenticity verification (registered version only)
* Self-extracting archives and volumes (SFX)
* Ability to recover physically damaged archives
* Locking, password, file order list, file security & more ...
Configuration file
~~~~~~~~~~~~~~~~~~
RAR for Unix reads configuration information from the file .rarrc
in the user's home directory (stored in HOME environment variable)
or in /etc directory.
RAR for Windows reads configuration information from the file rar.ini,
placed in the same directory as the rar.exe file.
This file may contain the following string:
switches=any RAR switches, separated by spaces
For example:
switches=-m5 -s
Environment variable
~~~~~~~~~~~~~~~~~~~~
Default parameters may be added to the RAR command line by establishing
an environment variable "RAR".
For instance, in UNIX following lines may be added to your profile:
RAR='-s -md1024'
export RAR
RAR will use this string as default parameters in the command line and
will create "solid" archives with 1024 KB sliding dictionary size.
RAR handles options with priority as following:
command line switches highest priority
switches in the RAR variable lower priority
switches saved in configuration file lowest priority
Log file
~~~~~~~~
If the switch -ilog is specified in the command line or configuration
file, RAR will write informational messages, concerning errors
encountered while processing archives, into a log file. Read switch
-ilog description for more details.
The file order list for solid archiving - rarfiles.lst
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rarfiles.lst contains a user-defined file list, which tells RAR
the order in which to add files to a solid archive. It may contain
file names, wildcards and special entry - $default. The default
entry defines the place in order list for files not matched
with other entries in this file. The comment character is ';'.
In Windows this file should be placed in the same directory as RAR
or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory
or in /etc.
Tips to provide improved compression and speed of operation:
- similar files should be grouped together in the archive;
- frequently accessed files should be placed at the beginning.
Normally masks placed nearer to the top of list have a higher priority,
but there is an exception from this rule. If rarfiles.lst contains such
two masks that all files matched by one mask are also matched by another,
that mask which matches a smaller subset of file names will have higher
priority regardless of its position in the list. For example, if you have
*.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of
'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'.
RAR command line syntax
~~~~~~~~~~~~~~~~~~~~~~~
Syntax
RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ]
[ <files...> ] [ <path_to_extract\> ]
Description
Command line options (commands and switches) provide control of
creating and managing archives with RAR. The command is a string (or a
single letter) which commands RAR to perform a corresponding action.
Switches are designed to modify the way RAR performs the action. Other
parameters are archive name and files to be archived into or extracted
from the archive.
Listfiles are plain text files that contain names of files to process.
File names should start at the first column. It is possible to
put comments to the listfile after // characters. For example,
you may create backup.lst containing the following strings:
c:\work\doc\*.txt //backup text documents
c:\work\image\*.bmp //backup pictures
c:\work\misc
and then run:
rar a backup @backup.lst
If you wish to read file names from stdin (standard input),
specify the empty listfile name (just @).
Win32 console RAR uses OEM (DOS) encoding in list files.
You may specify both usual file names and list files in the same
command line. If neither files nor listfiles are specified,
then *.* is implied and RAR will process all files
In a UNIX environment you need to quote wildcards to avoid them
being expanded by shell. For example, this command will extract
*.asm files from RAR archives in current path:
rar e '*.rar' '*.asm'
Command could be any of the following:
a Add files to archive.
Examples:
1) add all *.hlp files from the current directory to
the archive help.rar:
rar a help *.hlp
2) archive all files from the current directory and subdirectories
to 362000 bytes size solid, self-extracting volumes
and add the recovery record to each volume:
rar a -r -v362 -s -sfx -rr save
Because no file names are specified, all files (*) are assumed.
3) as a special exception, if directory name is specified as
an argument and if directory name does not include file masks
and trailing backslashes, the entire contents of the directory
and all subdirectories will be added to the archive even
if switch -r is not specified.
The following command will add all files from the directory
Bitmaps and its subdirectories to the RAR archive Pictures.rar:
rar a Pictures.rar Bitmaps
4) if directory name includes file masks or trailing backslashes,
normal rules apply and you need to specify switch -r to process
its subdirectories.
The following command will add all files from directory Bitmaps,
but not from its subdirectories, because switch -r is not
specified:
rar a Pictures.rar Bitmaps\*
c Add archive comment. Comments are displayed while the archive is
being processed. Comment length is limited to 62000 bytes
Examples:
rar c distrib.rar
Also comments may be added from a file using -z[file] switch.
The following command adds a comment from info.txt file:
rar c -zinfo.txt dummy
cf Add files comment. File comments are displayed when the 'v'
command is given. File comment length is limited to 32767 bytes.
Example:
rar cf bigarch *.txt
ch Change archive parameters.
This command can be used with most of archive modification
switches to modify archive parameters. It is especially
convenient for switches like -av, -cl, -cu, -tl, which do not
have a dedicated command.
It is not able to recompress, encrypt or decrypt archive data
and it cannot merge or create volumes. If used without any
switches, 'ch' command just copies the archive data without
modification.
Example:
Set archive time to latest file:
rar ch -tl files.rar
cw Write archive comment to specified file.
Format of output file depends on -sc switch.
If output file name is not specified, comment data will be
sent to stdout.
Examples:
1) rar cw arc comment.txt
2) rar cw -scuc arc unicode.txt
3) rar cw arc
d Delete files from archive. Please note if the processing of this
command results in removing all the files from the archive,
the empty archive would removed.
e Extract files to current directory.
f Freshen files in archive. Updates those files changed since they
were packed to the archive. This command will not add new files
to the archive.
i[i|c|h|t]=<string>
Find string in archives.
Supports following optional parameters:
i - case insensitive search (default);
c - case sensitive search;
h - hexadecimal search;
t - use ANSI, Unicode and OEM character tables (Win32 only);
If no parameters are specified, it is possible to use
the simplified command syntax i<string> instead of i=<string>
It is allowed to specify 't' modifier with other parameters,
for example, ict=string performs case sensitive search
using all mentioned above character tables.
Examples:
1) rar "ic=first level" -r c:\*.rar *.txt
Perform case sensitive search of "first level" string
in *.txt files in *.rar archives on the disk c:
2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts
Search for hex string f0 e0 ae ae ab 2d 83 e3 a9
in rar archives in e:\texts directory.
k Lock archive. Any command which intends to change the archive
will be ignored.
Example:
rar k final.rar
l[t,b] List contents of archive [technical]. Files are listed as with
the 'v' command with the exception of the file path. i.e. only
the file name is displayed. Optional technical information
(host OS, solid flag and old version flag) is displayed
when 't' modifier is used. Modifier 'b' forces RAR to output
only bare file names without any additional information.
m[f] Move to archive [files only]. Moving files and directories
results in the files and directories being erased upon
successful completion of the packing operation. Directories will
not be removed if 'f' modifier is used and/or '-ed' switch is
applied.
p Print file to stdout.
You may use this command together with -inul switch to disable
all RAR messages and print only file data. It may be important
when you need to send a file to stdout for use in pipes.
r Repair archive. Archive repairing is performed in two stages.
First, the damaged archive is searched for a recovery record
(see 'rr' command). If the archive contains a recovery record
and if the portion of the damaged data is continuous and less
than N*512 bytes, where N is number of recovery sectors placed
into the archive, the chance of successful archive
reconstruction is very high. When this stage has been completed,
a new archive will be created, called fixed.arcname.rar,
where 'arcname' is the original (damaged) archive name.
If a broken archive does not contain a recovery record or if
the archive is not completely recovered due to major damage, a
second stage is performed. During this stage only the archive
structure is reconstructed and it is impossible to recover
files which fail the CRC validation, it is still possible,
however, to recover undamaged files, which were inaccessible
due to the broken archive structure. Mostly this is useful
for non-solid archives.
When the second stage is completed, the reconstructed archive
will be saved as rebuilt.arcname.rar, where 'arcname' is
the original archive name.
RAR/DOS32 version uses _recover.rar and _reconst.rar instead
of names mentioned aboves.
While the recovery is in progress, RAR may prompt the user for
assistance when a suspicious file is detected.
Suspicious entry
Name: <possibly filename>
Size: <size> Packed: <compressed size>
Add it: Yes/No/All
Answer 'y' to add this entry to the file rebuilt.arcname.rar.
Example:
rar r buggy.rar
rc Reconstruct missing and damaged volumes using recovery volumes
(.rev files). You need to specify any existing volume
as the archive name, for example, 'rar rc backup.part03.rar'
Read 'rv' command description for information about
recovery volumes.
rn Rename archived files.
The command syntax is:
rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN>
For example, the following command:
rar rn data.rar readme.txt readme.bak info.txt info.bak
will rename readme.txt to readme.bak and info.txt to info.bak
in the archive data.rar.
It is allowed to use wildcards in the source and destination
names for simple name transformations like changing file
extensions. For example:
rar rn data.rar *.txt *.bak
will rename all *.txt files to *.bak.
RAR does not check if the destination file name is already
present in the archive, so you need to be careful to avoid
duplicated names. It is especially important when using
wildcards. Such a command is potentially dangerous, because
a wrong wildcard may corrupt all archived names.
rr[N] Add data recovery record. Optionally, redundant information
(recovery record) may be added to an archive. This will cause
a small increase of the archive size and helps to recover
archived files in case of floppy disk failure or data losses of
any other kind. A recovery record contains up to 524288 recovery
sectors. The number of sectors may be specified directly in the
'rr' command (N = 1, 2 .. 524288) or, if it is not specified by
the user, it will be selected automatically according to the
archive size: a size of the recovery information will be about
1% of the total archive size, usually allowing the recovery of
up to 0.6% of the total archive size of continuously damaged data.
It is also possible to specify the recovery record size in
percent to the archive size. Just append the percent character
to the command parameter. For example:
rar rr3% arcname
Note that if you run this command from .bat or .cmd file,
you need to use rr3%% instead of rr3%, because the command
processor treats the single '%' character as the start of
a batch file parameter. You may also use 'p' instead of '%',
so 'rr3p' will work too.
If data is damaged continuously, then each rr-sector helps to
recover 512 bytes of damaged informatio
Emails
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main WinRAR Portable Unplugged.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1096 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1096 AUDIODG.EXE Token: 33 1096 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1096 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1664 WinRAR Portable Unplugged.exe 1664 WinRAR Portable Unplugged.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinRAR Portable Unplugged.exe"C:\Users\Admin\AppData\Local\Temp\WinRAR Portable Unplugged.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1664
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1968
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5741⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096