Analysis
-
max time kernel
44s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 16:29
Static task
static1
Behavioral task
behavioral1
Sample
winrar-x64-700.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
winrar-x64-700.exe
Resource
win10v2004-20240226-en
General
-
Target
winrar-x64-700.exe
-
Size
3.8MB
-
MD5
48deabfacb5c8e88b81c7165ed4e3b0b
-
SHA1
de3dab0e9258f9ff3c93ab6738818c6ec399e6a4
-
SHA256
ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24
-
SHA512
d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af
-
SSDEEP
98304:sWaWOBfKnlSXdgRgopW/r+N5op154iXEBdbwUoy60518ymXM2mGm:xamnqdgyoE+noL54u2wUoylrVmlw
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 60 IoCs
description ioc Process File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-700.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-700.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-700.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-700.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259403064 winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-700.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64-700.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-700.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\WinCon32.SFX winrar-x64-700.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-700.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-700.exe File created C:\Program Files\WinRAR\Default32.SFX winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-700.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-700.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-700.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-700.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-700.exe File created C:\Program Files\WinRAR\WinCon32.SFX winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Zip32.SFX winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-700.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-700.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-700.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-700.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR winrar-x64-700.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-700.exe File created C:\Program Files\WinRAR\Zip32.SFX winrar-x64-700.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-700.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-700.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-700.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-700.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-700.exe File opened for modification C:\Program Files\WinRAR\Default32.SFX winrar-x64-700.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-700.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-700.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-700.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-700.exe -
Executes dropped EXE 1 IoCs
pid Process 2428 uninstall.exe -
Loads dropped DLL 7 IoCs
pid Process 2984 winrar-x64-700.exe 1192 Process not Found 2428 uninstall.exe 2428 uninstall.exe 1192 Process not Found 1192 Process not Found 1192 Process not Found -
Modifies system executable filetype association 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main winrar-x64-700.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arj uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rev uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tzst uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uue uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tlz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.z uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lha uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2984 winrar-x64-700.exe 2984 winrar-x64-700.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2428 2984 winrar-x64-700.exe 28 PID 2984 wrote to memory of 2428 2984 winrar-x64-700.exe 28 PID 2984 wrote to memory of 2428 2984 winrar-x64-700.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64-700.exe"C:\Users\Admin\AppData\Local\Temp\winrar-x64-700.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD5fc13e375f3144a55adfb46f342778447
SHA1f2e716a60f6371eeba55fbcc90c3b8b7c14eb4a4
SHA2567511c100daa946175efc18082d1923518bf1bfc8c1a80ea0252af585fbe295b5
SHA5128ca4a0ecc0d55d29a8ff291afb8cdffbf4a949d0979ffe2e262465db8e8c7dc30837a4ea17c163fea1902ed0bebb5a937eafc179d25f6ce1fc747f6309181e40
-
Filesize
43KB
MD52b9e0d72411ef328313c0c703d76854c
SHA16f52c400fb211181985cd28330a173b74af0a685
SHA256c13db7e2b3fb2430a10abf78efcc2a6fb0ca1dd7d18c9d7b28c09a41238d7157
SHA512ce71a9a84ac9f4da74bda7653a150a8b950e5da95cd708de266fb33506054aafd12b35ac3d28e0569f3c298967db4a3c5581d184a3d320bed6122bea1e1cc741
-
Filesize
316KB
MD59a61f439dc229638f26846c69183043a
SHA1f35c4c41272311853833b71cec963fd92637638f
SHA2560879cdd9d81b1cb319692dde76bf3a3c16369ddc33f006ffb199ed08d57bfa18
SHA5120da8117c3040b7d9fcca29e424612176603880a3c1985d45d8b7ec90ef2349dc910b89aa539b69b6d35e786553194b8e510e928a5fbeaf4450d5ad5ee40f3416
-
Filesize
3.1MB
MD55c854dcce18e265addab39558db96a02
SHA1151c8b4295630a71f2c1bed76326055100378b66
SHA256ddc4f274cdec3954acefb624ed3fc7a8f8c5fed767934bb028a85db62b781fb1
SHA512de26ef2f1bc0a910f43fbb874cf87ac1d892bcc2c220d4850970be5ebdd208f426eee5250088b8e3b57431bd9aa31ff120022e72173cc2fdaeecd894a6c03a00
-
Filesize
634KB
MD53068ec5dc5fc098d27e2270366a7c4f6
SHA12b5a5abc33aaba8b49799e835798f027114e8507
SHA256fa913a43d99fd0af75959a176c08a6041004a511329d608510ae6ebd75c7ea8e
SHA51246b199885da3e44fe6defb2358ce651bd166f99f42ff6ef09da19630c8380ebf43809fe08502652c70873e84f0f39ce7707028bdea0f750f5ced7893209c244d
-
Filesize
477KB
MD50c52b3fb85bd6ec371183a4bfb0ec5ed
SHA1c756d66045e8b2603c1ad8fb3caf8d01efe48f9c
SHA2564d24274b446a85edf45270b606b2a9f789d16ab84714e745512051bd192faad4
SHA5127d3aaf09ee7ee50fe542a17818797ea1b0cce9bf2d337d8bbe5fabeed7331ea774faf1e4e337c2cc2ee0dab6de261ee1f1245cea21afd15eb7298a1298613e70