Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-02-2023 01:21

General

  • Target

    WinRAR Portable Unplugged.exe

  • Size

    2.4MB

  • MD5

    73d88f68025bbc504706c743bfd29855

  • SHA1

    86ba9c56c687f7c3d0c6da45b0f1aaedde849e5c

  • SHA256

    37d151ab9fd61c5bfad26990c839499aa2c7eb9cd84f5effacacb4cfed425796

  • SHA512

    7e96d201ed4d6e27d77dffb85062c99c259bc03d037b5fb706e2d380008e29accde494cf1c8c79ad6f6000f9b0b8758b5a301c6a9d8ebf64d7c6aa111adffa91

  • SSDEEP

    49152:5uWXP3qw4WxjuUIom2f7ADTD9Jf6tmlZA6wDst9szdkuXwvPwy4GiiizFE3am:5uIvzjmom2TkTn6tqClDqszdbB6am

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WinRAR Unplugged\Languages\en\Rar.txt

Ransom Note
User's Manual ~~~~~~~~~~~~~ RAR 3.91 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a powerful tool allowing you to manage and control archive files. Console RAR supports archives only in RAR format, the names of which usually have a ".rar" extension. ZIP and other formats are not supported. Windows users may install GUI RAR version - WinRAR, which is able to process many more archive types. RAR features include: * Highly sophisticated, original compression algorithm * Special compression algorithms optimized for text, audio, graphics data, 32 and 64-bit Intel executables * Better compression than similar tools, using 'solid' archiving * Authenticity verification (registered version only) * Self-extracting archives and volumes (SFX) * Ability to recover physically damaged archives * Locking, password, file order list, file security & more ... Configuration file ~~~~~~~~~~~~~~~~~~ RAR for Unix reads configuration information from the file .rarrc in the user's home directory (stored in HOME environment variable) or in /etc directory. RAR for Windows reads configuration information from the file rar.ini, placed in the same directory as the rar.exe file. This file may contain the following string: switches=any RAR switches, separated by spaces For example: switches=-m5 -s Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in UNIX following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 KB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If the switch -ilog is specified in the command line or configuration file, RAR will write informational messages, concerning errors encountered while processing archives, into a log file. Read switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command line options (commands and switches) provide control of creating and managing archives with RAR. The command is a string (or a single letter) which commands RAR to perform a corresponding action. Switches are designed to modify the way RAR performs the action. Other parameters are archive name and files to be archived into or extracted from the archive. Listfiles are plain text files that contain names of files to process. File names should start at the first column. It is possible to put comments to the listfile after // characters. For example, you may create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). Win32 console RAR uses OEM (DOS) encoding in list files. You may specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files In a UNIX environment you need to quote wildcards to avoid them being expanded by shell. For example, this command will extract *.asm files from RAR archives in current path: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing backslashes, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes file masks or trailing backslashes, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 62000 bytes Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy cf Add files comment. File comments are displayed when the 'v' command is given. File comment length is limited to 32767 bytes. Example: rar cf bigarch *.txt ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -av, -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If used without any switches, 'ch' command just copies the archive data without modification. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. Please note if the processing of this command results in removing all the files from the archive, the empty archive would removed. e Extract files to current directory. f Freshen files in archive. Updates those files changed since they were packed to the archive. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, Unicode and OEM character tables (Win32 only); If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. Any command which intends to change the archive will be ignored. Example: rar k final.rar l[t,b] List contents of archive [technical]. Files are listed as with the 'v' command with the exception of the file path. i.e. only the file name is displayed. Optional technical information (host OS, solid flag and old version flag) is displayed when 't' modifier is used. Modifier 'b' forces RAR to output only bare file names without any additional information. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. You may use this command together with -inul switch to disable all RAR messages and print only file data. It may be important when you need to send a file to stdout for use in pipes. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If the archive contains a recovery record and if the portion of the damaged data is continuous and less than N*512 bytes, where N is number of recovery sectors placed into the archive, the chance of successful archive reconstruction is very high. When this stage has been completed, a new archive will be created, called fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If a broken archive does not contain a recovery record or if the archive is not completely recovered due to major damage, a second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail the CRC validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. When the second stage is completed, the reconstructed archive will be saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. RAR/DOS32 version uses _recover.rar and _reconst.rar instead of names mentioned aboves. While the recovery is in progress, RAR may prompt the user for assistance when a suspicious file is detected. Suspicious entry Name: <possibly filename> Size: <size> Packed: <compressed size> Add it: Yes/No/All Answer 'y' to add this entry to the file rebuilt.arcname.rar. Example: rar r buggy.rar rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing volume as the archive name, for example, 'rar rc backup.part03.rar' Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the archive data.rar. It is allowed to use wildcards in the source and destination names for simple name transformations like changing file extensions. For example: rar rn data.rar *.txt *.bak will rename all *.txt files to *.bak. RAR does not check if the destination file name is already present in the archive, so you need to be careful to avoid duplicated names. It is especially important when using wildcards. Such a command is potentially dangerous, because a wrong wildcard may corrupt all archived names. rr[N] Add data recovery record. Optionally, redundant information (recovery record) may be added to an archive. This will cause a small increase of the archive size and helps to recover archived files in case of floppy disk failure or data losses of any other kind. A recovery record contains up to 524288 recovery sectors. The number of sectors may be specified directly in the 'rr' command (N = 1, 2 .. 524288) or, if it is not specified by the user, it will be selected automatically according to the archive size: a size of the recovery information will be about 1% of the total archive size, usually allowing the recovery of up to 0.6% of the total archive size of continuously damaged data. It is also possible to specify the recovery record size in percent to the archive size. Just append the percent character to the command parameter. For example: rar rr3% arcname Note that if you run this command from .bat or .cmd file, you need to use rr3%% instead of rr3%, because the command processor treats the single '%' character as the start of a batch file parameter. You may also use 'p' instead of '%', so 'rr3p' will work too. If data is damaged continuously, then each rr-sector helps to recover 512 bytes of damaged informatio

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinRAR Portable Unplugged.exe
    "C:\Users\Admin\AppData\Local\Temp\WinRAR Portable Unplugged.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4072
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1480

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads