6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136

Analysis

max time kernel
117s
max time network
133s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
17-11-2023 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Size

1.1MB
MD5

cf7b6c3d2c1a8df136294d004849ece2
SHA1

153683c83946a53ffbc58cfa9a218b9bcb823252
SHA256

6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136
SHA512

adf62c8144ac635cddb7b3e47a89986f3eb337ac2f29c9ff7210c1f80c9feac28d1f1bf8baa076bd8eeb9cc02d4f9194fa7d472cf7d8b59ae27a5291463500d0
SSDEEP

24576:XAkS+8qyb7h9RHyevHQfsXQaz7nMMMMMMww5x:XM57h9RH/HUQQa3MMMMMMB

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR 压缩文件"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP 压缩文件"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR 恢复卷"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,1"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
844	6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe

C:\Users\Admin\AppData\Local\Temp\6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe
"C:\Users\Admin\AppData\Local\Temp\6f9caca79d71fd01f430ed1cf855fe62965d0c0e5b24ad80f1954010c3c8e136.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-0-0x0000000000910000-0x0000000000AA0000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads