Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:53
Static task
static1
Behavioral task
behavioral1
Sample
cmlauncher.zip
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
cmlauncher.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Instructions.txt
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Instructions.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
installer.rar
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
installer.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
winrar-x64.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
winrar-x64.exe
Resource
win10v2004-20240508-en
General
-
Target
winrar-x64.exe
-
Size
3.3MB
-
MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3
-
SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92
-
SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
-
SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
SSDEEP
98304:mZjOBfKqY3fhMBexKTvsCHBviBh2GB8y0mb5:mZZ7fhMB2ovFNiKGhJ
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 60 IoCs
Processes:
winrar-x64.exeuninstall.exedescription ioc process File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64.exe File opened for modification C:\Program Files\WinRAR winrar-x64.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259422736 winrar-x64.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64.exe File created C:\Program Files\WinRAR\Zip64.SFX winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64.exe File created C:\Program Files\WinRAR\License.txt winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64.exe -
Executes dropped EXE 1 IoCs
Processes:
uninstall.exepid process 1556 uninstall.exe -
Loads dropped DLL 9 IoCs
Processes:
winrar-x64.exeuninstall.exepid process 2860 winrar-x64.exe 1100 1556 uninstall.exe 1556 uninstall.exe 1100 1100 1100 1100 1100 -
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
winrar-x64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main winrar-x64.exe -
Modifies registry class 64 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r03 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arj uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r00\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r16 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7z uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uu uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r09 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r12 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r18 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r17 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r05 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r26 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
winrar-x64.exepid process 2860 winrar-x64.exe 2860 winrar-x64.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
winrar-x64.exedescription pid process target process PID 2860 wrote to memory of 1556 2860 winrar-x64.exe uninstall.exe PID 2860 wrote to memory of 1556 2860 winrar-x64.exe uninstall.exe PID 2860 wrote to memory of 1556 2860 winrar-x64.exe uninstall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe"C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:1556
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2136
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD58933d6e810668af29d7ba8f1c3b2b9ff
SHA1760cbb236c4ca6e0003582aaefd72ff8b1c872aa
SHA256cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7
SHA512344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e
-
Filesize
95KB
MD5d4c768c52ee077eb09bac094f4af8310
SHA1c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1
SHA2568089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c
SHA5125b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847
-
Filesize
314KB
MD581b236ef16aaa6a3936fd449b12b82a2
SHA1698acb3c862c7f3ecf94971e4276e531914e67bc
SHA256d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e
SHA512968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769
-
Filesize
2.3MB
MD50b114fc0f4b6d49f57b3b01dd9ea6a8c
SHA123e1480c3ff3a54e712d759e9325d362bf52fabd
SHA256f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd
SHA512e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573
-
Filesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8