Overview

overview

10

Static

static

3

wrar393es.exe

windows7-x64

10

wrar393es.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wrar393es.exe

  • Size

    1.4MB

  • MD5

    5de35fab0bd47243ebdab45b64cac273

  • SHA1

    cee9d0dee8b91952ad03692c9485fe24ceff72e6

  • SHA256

    6e55531e2205c2f9242a9b2cd9303b60ec9699e0fab26b1e5a7f9f97136ad647

  • SHA512

    09a8b9d035c9fa67322f50f5a6d903b4bc5aa3028bcda1e218a48922b27baf1867180c754410c94dcc77013d31b7ea3f3a0d67ca8e542f23fbeaaf61a161db0d

  • SSDEEP

    24576:G38+om3OL/FTrSSZFY0KdfYhMSnb4biHUy+2PBUnNwhqSoocQhP5+BYbNDJu+6kL:G74/Fv9hKdfIvb2iH/JiNWVtcQh5+6ga

Score
10/10
metasploitbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

172.20.10.7:2425

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wrar393es.exe
    "C:\Users\Admin\AppData\Local\Temp\wrar393es.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Program Files (x86)\WinRAR\uninstall.exe
      "C:\Program Files (x86)\WinRAR\uninstall.exe" /setup
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Registers COM server for autorun
      • Drops file in Program Files directory
      • Modifies registry class
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WinRAR\Rar.txt
    Filesize

    82KB

    MD5

    6b2cfe8949ebe63453f0c936fdfe3ca1

    SHA1

    724b53ecbf2f515480b8eff7166b84fa65bd5646

    SHA256

    ea3cfb9a913a02a2ecdd8efddae6e0aa2876963bb84f361ee6fa54df625aa099

    SHA512

    bf43a133dde60f340f9f927c98bc27c1e29dcbc5574d2a46af07911b5d939f0a14ed578d0388c35820067eabb41ffa8350bb30640dc22b8f889a2b22733de7d6

    Download Submit

  • C:\Program Files (x86)\WinRAR\WinRAR.exe
    Filesize

    1015KB

    MD5

    b284e0f20811226bc0211bf742247542

    SHA1

    abbedb56afe58b76b80732f42995f8500334b604

    SHA256

    aa3db28e89b5e48128c8a63b197ab5f58677416fcd4013f9b8752983bc2e6359

    SHA512

    082f27ed3b5310562c297892165f158485f989b68f26ce5283f29c3542bbd0fb21379fd9ef6cf656136a7c71fb5c774391a171852d985dbc9a844e8f8c77e180

    Download Submit

  • C:\Program Files (x86)\WinRAR\uninstall.lng
    Filesize

    3KB

    MD5

    6627e3a304e7eb57eab9119922f84699

    SHA1

    b1b9f8b91bc3bd164e00d9b2ff84525830baeab0

    SHA256

    69a7583ab80fe44a8ff923360d22b282c6c963784361704874f06610fae942ce

    SHA512

    d4c2bb32f496e67126186b3b887f6b9b9a984769a1d1cf591380532b808c592ed7bc92492a8a8394c417adf2a766d3a73bf05360a2889c339859af598d619c47

    Download Submit

  • C:\Program Files (x86)\WinRAR\winrar.chm
    Filesize

    287KB

    MD5

    0f084c219f910c74d18cf15e62f1b200

    SHA1

    3921ed7dc84d90183f176de1e8d43ac629baaa50

    SHA256

    0c193b40aed6e25a6e316c192344f0895cc0e415a745573c4a28052634abc03b

    SHA512

    9a0af963c264fadb3490b9945f7195f6f83b9f4c0e0b508f70fc1d61880847b11ab5104b9ef2e6d79caf15ac5db4586a772134d8cca8df7be41bcefc4692f9eb

    Download Submit

  • \Program Files (x86)\WinRAR\Uninstall.exe
    Filesize

    118KB

    MD5

    eef1a4f707778f6659ae9cb26b128eb9

    SHA1

    d048f25ac6f21d136487d51c95af1688e27003cc

    SHA256

    353fe961b123f048d02944449d556a4706eb6212decee71fe720ab9e7dad1cec

    SHA512

    3969939e569e8419d07ea8301c051f69dafb8c4141903b858973b0a702158942903b96e94479ecfcbc9e54ebb630263d4ae590ae10156278f0270f0cfb4d0d13

    Download Submit

  • memory/1796-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1796-91-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download