Analysis

  • max time kernel
    118s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 23:19

General

  • Target

    $PLUGINSDIR/winrar-x64-623.exe

  • Size

    3.4MB

  • MD5

    7a647af3c112ad805296a22b2a276e7c

  • SHA1

    9cdf137e3f2493c9e141d5ec05f890e32b9b4e87

  • SHA256

    20739e8fc050187af013e2499718895e4c980699ccaf046b2f96b12497e61959

  • SHA512

    71d86d8dc598aafa91da8e0d971d1bbb87135832b848547c5c611bc828d165625c7a19af2cd300373190cf3eb782c714ac73d84ada53b37b6d8c1ee8508bcd86

  • SSDEEP

    98304:kzBOBfKMpHGqcfsLyQecNEqCNCjRqGy5XYBHOhN2qlxR:kz/MpmJ0LdDLCAyiHOvl

Malware Config

Signatures

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 60 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies system executable filetype association 2 TTPs 8 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\winrar-x64-623.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Registers COM server for autorun
      • Modifies registry class
      PID:1520

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\WinRAR\Rar.txt

          Filesize

          109KB

          MD5

          a9369594740dc19b0e95ea48dca8bc23

          SHA1

          f4fa020e0bb4076411dc792eab887d876734672a

          SHA256

          05addd3d2be44b79266e6758239191147705e2918809cc21d821fb11a14bee2f

          SHA512

          a8f53f97c93157eecef6015b7e86f3cf4aca593098ef5cba4a0c23829efea580d92012673b4abc66deac5c868f4c76e762eb5e8b03e722ac6c6ac6a500119d20

        • C:\Program Files\WinRAR\WhatsNew.txt

          Filesize

          105KB

          MD5

          575f5596dab03c85365221907a806b55

          SHA1

          0b99cf32075936f8ceb8bd900a9770713a61f31a

          SHA256

          aefcdffa9a231ea50b75785bd9a96a7bc209a33b1bddc26c643415ed6439483a

          SHA512

          4abe3b5c33e6e9ece1b3e95ac95d87451fff62e09d30c6fcca4965e6d226d480c396b5f47db3abc13e2520827514bcb5c030b664f299622df2ecc5eaa5d2051e

        • C:\Program Files\WinRAR\WinRAR.chm

          Filesize

          317KB

          MD5

          70f999656185c78c219fa1eab112e92a

          SHA1

          1970bbc16947648e3abcdd431c1be6af945073bd

          SHA256

          6958bd49bcb61617eb8bc1c222cc65319c281357f8bb83d1526c576cb137f08a

          SHA512

          da62040a72babbdd150c30734a79f70b9f91addcf70c50a309538df6f2e06b8e20aae621f56a25ea21112fa94733a5e45ace91824c1c731ee8bb9adb8aaa3862

        • C:\Program Files\WinRAR\WinRAR.exe

          Filesize

          2.5MB

          MD5

          ee69d18ef002d3119c8b67acf2243103

          SHA1

          3edf9831a6536e6351b85501253794a6e0bf98e3

          SHA256

          41bd325aff9b19c028c1e96eb1a3b08a8d00859004dbd16b7495b6a4cfdc1227

          SHA512

          813c9e3dd61ea8778089468f04e7c844248321ce92a2c4eeeea758c1eb2480e3cf3d041a38f23efab64f459167d0c7bbbb26a3d5345332ededcfcf281b991bbe

        • \Program Files\WinRAR\Uninstall.exe

          Filesize

          437KB

          MD5

          75aac9d1f8f9079920e67a2e5a69756e

          SHA1

          9a82e23162f801ae9025d3bdb504b8be6f01367d

          SHA256

          66440d6bd2554caec740850782036b372d15f298af28f68c5daec9f13a42e3ab

          SHA512

          9f54d32817d561fadfc32f99ecc809d6f9eb87f0fe1409882307a5407218a73dc6e00610501d59e0acc9b9bf1a12e8bc311da7ec471b785df6d39f3d626a3542

        • \Program Files\WinRAR\WinRAR.exe

          Filesize

          768KB

          MD5

          56702716ecf0ccaf9131943f85f07eae

          SHA1

          cbcc4b552adace221aad6e4a88978179269109fe

          SHA256

          3d5404ec47e939941db9373aadf803b9dceccb30e3ad1923691bc6ab99422d7b

          SHA512

          a640b698f255ddd5dec17cadfa222ff731f9ea070cfeb855e1e6781bd7693c672c47fe01e8d50858a395b0e757794fcb0813fc34d4869510f9a0909078ee7a27

        • \Program Files\WinRAR\WinRAR.exe

          Filesize

          2.2MB

          MD5

          02a6532b41765cf151a9b57cc795da7c

          SHA1

          5dfed83965e58d934ac3d11627db61b5a5cdad22

          SHA256

          abf6108192c3a8fcf1bea3e4a812e00c2e94d41e8f585e98d2e3158097711e13

          SHA512

          cf612687d4109f31310257b699f848e472a15d36513f81f5f71a260cafb0730e7216cb120769ee4e2df33ec6e9c69ec9fc0ec90b05a6be45b47a525817dc901c