9371a656feffb9e8e4fe70ce3fa01352af3035b5afaddbe4332442fc1dbb8ff0

Analysis

max time kernel
124s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

My Program/RockerLegacy.exe
Size

3.8MB
MD5

46c17c999744470b689331f41eab7df1
SHA1

b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256

c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA512

4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6
SSDEEP

98304:6NRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAr:sR/gmeOqv7Ac9F0kB

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Zip.SFX	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Default.SFX	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	RockerLegacy.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	RockerLegacy.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	RockerLegacy.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	RockerLegacy.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Rar.txt	RockerLegacy.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	RockerLegacy.exe
File created	C:\Program Files\WinRAR\7zxa.dll	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	RockerLegacy.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	RockerLegacy.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	RockerLegacy.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	RockerLegacy.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	RockerLegacy.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259437166	RockerLegacy.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	RockerLegacy.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	RockerLegacy.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Order.htm	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Rar.exe	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Default32.SFX	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Descript.ion	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	RockerLegacy.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	RockerLegacy.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	RockerLegacy.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Resources.pri	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	RockerLegacy.exe
File created	C:\Program Files\WinRAR\License.txt	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	RockerLegacy.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	RockerLegacy.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	RockerLegacy.exe
File created	C:\Program Files\WinRAR\RarExt.dll	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	RockerLegacy.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	RockerLegacy.exe

Executes dropped EXE 17 IoCs

pid	Process
2444	uninstall.exe
2276	WinRAR.exe
1712	WinRAR.exe
2100	WinRAR.exe
1848	WinRAR.exe
2052	WinRAR.exe
2280	WinRAR.exe
2528	WinRAR.exe
2684	WinRAR.exe
2908	WinRAR.exe
2604	WinRAR.exe
2236	WinRAR.exe
1576	WinRAR.exe
1888	WinRAR.exe
1472	WinRAR.exe
1268	WinRAR.exe
1796	WinRAR.exe

Loads dropped DLL 64 IoCs

pid	Process
2792	RockerLegacy.exe
1116	Process not Found
2444	uninstall.exe
2444	uninstall.exe
2444	uninstall.exe
1116	Process not Found
2444	uninstall.exe
1116	Process not Found
1116	Process not Found
1116	Process not Found
2276	WinRAR.exe
2276	WinRAR.exe
2276	WinRAR.exe
2276	WinRAR.exe
1712	WinRAR.exe
1712	WinRAR.exe
1712	WinRAR.exe
1712	WinRAR.exe
2100	WinRAR.exe
2100	WinRAR.exe
2100	WinRAR.exe
2100	WinRAR.exe
1848	WinRAR.exe
1848	WinRAR.exe
1848	WinRAR.exe
1848	WinRAR.exe
2052	WinRAR.exe
2052	WinRAR.exe
2052	WinRAR.exe
2052	WinRAR.exe
2280	WinRAR.exe
2280	WinRAR.exe
2280	WinRAR.exe
2280	WinRAR.exe
2528	WinRAR.exe
2528	WinRAR.exe
2528	WinRAR.exe
2528	WinRAR.exe
2684	WinRAR.exe
2684	WinRAR.exe
2684	WinRAR.exe
2684	WinRAR.exe
2908	WinRAR.exe
2908	WinRAR.exe
2908	WinRAR.exe
2908	WinRAR.exe
2604	WinRAR.exe
2604	WinRAR.exe
2604	WinRAR.exe
2604	WinRAR.exe
2236	WinRAR.exe
2236	WinRAR.exe
2236	WinRAR.exe
2236	WinRAR.exe
1576	WinRAR.exe
1576	WinRAR.exe
1576	WinRAR.exe
1576	WinRAR.exe
1888	WinRAR.exe
1888	WinRAR.exe
1888	WinRAR.exe
1888	WinRAR.exe
1472	WinRAR.exe
1472	WinRAR.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	RockerLegacy.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WinRAR.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2444	uninstall.exe
1796	WinRAR.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2792	RockerLegacy.exe
2792	RockerLegacy.exe
2276	WinRAR.exe
2276	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2444	2792	RockerLegacy.exe	28
PID 2792 wrote to memory of 2444	2792	RockerLegacy.exe	28
PID 2792 wrote to memory of 2444	2792	RockerLegacy.exe	28
PID 2444 wrote to memory of 2276	2444	uninstall.exe	33
PID 2444 wrote to memory of 2276	2444	uninstall.exe	33
PID 2444 wrote to memory of 2276	2444	uninstall.exe	33
PID 2444 wrote to memory of 2340	2444	uninstall.exe	32
PID 2444 wrote to memory of 2340	2444	uninstall.exe	32
PID 2444 wrote to memory of 2340	2444	uninstall.exe	32
PID 2444 wrote to memory of 1712	2444	uninstall.exe	35
PID 2444 wrote to memory of 1712	2444	uninstall.exe	35
PID 2444 wrote to memory of 1712	2444	uninstall.exe	35
PID 2444 wrote to memory of 1356	2444	uninstall.exe	36
PID 2444 wrote to memory of 1356	2444	uninstall.exe	36
PID 2444 wrote to memory of 1356	2444	uninstall.exe	36
PID 2444 wrote to memory of 1464	2444	uninstall.exe	37
PID 2444 wrote to memory of 1464	2444	uninstall.exe	37
PID 2444 wrote to memory of 1464	2444	uninstall.exe	37
PID 2444 wrote to memory of 2100	2444	uninstall.exe	38
PID 2444 wrote to memory of 2100	2444	uninstall.exe	38
PID 2444 wrote to memory of 2100	2444	uninstall.exe	38
PID 2444 wrote to memory of 564	2444	uninstall.exe	39
PID 2444 wrote to memory of 564	2444	uninstall.exe	39
PID 2444 wrote to memory of 564	2444	uninstall.exe	39
PID 2444 wrote to memory of 1848	2444	uninstall.exe	40
PID 2444 wrote to memory of 1848	2444	uninstall.exe	40
PID 2444 wrote to memory of 1848	2444	uninstall.exe	40
PID 2444 wrote to memory of 2052	2444	uninstall.exe	41
PID 2444 wrote to memory of 2052	2444	uninstall.exe	41
PID 2444 wrote to memory of 2052	2444	uninstall.exe	41
PID 2444 wrote to memory of 2116	2444	uninstall.exe	42
PID 2444 wrote to memory of 2116	2444	uninstall.exe	42
PID 2444 wrote to memory of 2116	2444	uninstall.exe	42
PID 2444 wrote to memory of 2280	2444	uninstall.exe	43
PID 2444 wrote to memory of 2280	2444	uninstall.exe	43
PID 2444 wrote to memory of 2280	2444	uninstall.exe	43
PID 2444 wrote to memory of 1928	2444	uninstall.exe	44
PID 2444 wrote to memory of 1928	2444	uninstall.exe	44
PID 2444 wrote to memory of 1928	2444	uninstall.exe	44
PID 2444 wrote to memory of 2936	2444	uninstall.exe	45
PID 2444 wrote to memory of 2936	2444	uninstall.exe	45
PID 2444 wrote to memory of 2936	2444	uninstall.exe	45
PID 2444 wrote to memory of 2528	2444	uninstall.exe	46
PID 2444 wrote to memory of 2528	2444	uninstall.exe	46
PID 2444 wrote to memory of 2528	2444	uninstall.exe	46
PID 2444 wrote to memory of 2684	2444	uninstall.exe	47
PID 2444 wrote to memory of 2684	2444	uninstall.exe	47
PID 2444 wrote to memory of 2684	2444	uninstall.exe	47
PID 2444 wrote to memory of 2804	2444	uninstall.exe	48
PID 2444 wrote to memory of 2804	2444	uninstall.exe	48
PID 2444 wrote to memory of 2804	2444	uninstall.exe	48
PID 2444 wrote to memory of 2908	2444	uninstall.exe	49
PID 2444 wrote to memory of 2908	2444	uninstall.exe	49
PID 2444 wrote to memory of 2908	2444	uninstall.exe	49
PID 2444 wrote to memory of 2916	2444	uninstall.exe	50
PID 2444 wrote to memory of 2916	2444	uninstall.exe	50
PID 2444 wrote to memory of 2916	2444	uninstall.exe	50
PID 2444 wrote to memory of 2604	2444	uninstall.exe	51
PID 2444 wrote to memory of 2604	2444	uninstall.exe	51
PID 2444 wrote to memory of 2604	2444	uninstall.exe	51
PID 2444 wrote to memory of 2436	2444	uninstall.exe	52
PID 2444 wrote to memory of 2436	2444	uninstall.exe	52
PID 2444 wrote to memory of 2436	2444	uninstall.exe	52
PID 2444 wrote to memory of 2236	2444	uninstall.exe	53

C:\Users\Admin\AppData\Local\Temp\My Program\RockerLegacy.exe
"C:\Users\Admin\AppData\Local\Temp\My Program\RockerLegacy.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\WinRAR\uninstall.exe
  "C:\Program Files\WinRAR\uninstall.exe" /setup
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2340
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1712
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:1356
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:1464
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2100
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:564
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1848
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2052
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2116
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2280
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:1928
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2936
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2528
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2684
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2804
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2908
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2916
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2604
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2436
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2236
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:1044
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1576
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2352
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1888
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:1988
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:308
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1472
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    PID:1268
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2180
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1796
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Order.htm

Filesize
3KB

MD5
5c336de3b3d794322ad9e5915e3a509f

SHA1
5256262a417e9a29fe23e8cca09782c7a3532fc9

SHA256
bce29ef3b95306cb7b304fb8c3039be7157356d9f9d4e7e1c6bfbf02a117f48f

SHA512
7243c9b8eb39fc8aa10ec8b5c290e27d44fa1c245f0478b75ae77964c178d41e9c1f651f987316f1153c1a7176eecebc269ffb0c42ced5bd0b12e5cc1b95da04

Download Submit
C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
4783f1a5f0bba7a6a40cb74bc8c41217

SHA1
a22b9dc8074296841a5a78ea41f0e2270f7b7ad7

SHA256
f376aaa0d4444d0727db5598e8377f9f1606400adbbb4772d39d1e4937d5f28c

SHA512
463dff17f06eca41ae76e3c0b2efc4ef36529aa2eaed5163eec0a912fe7802c9fb38c37acfe94b82972861aaf1acf02823a5948fbb3292bb4743641acb99841e

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
60b147b7eb1384cb454c0826793aaeb6

SHA1
2f5f9fa4c6a4deb17ade2d580bd9226e1ccab5e4

SHA256
47b47287be00cdf60422b5e62fe8333b0d54d9decc10bf871077571662cbee02

SHA512
65163f60abb5f83f65cd1bad40a9f1efcf3b74f743d6023baf9b4a8b3a7c055f77e1600eaecf8a640898f65cdb4201ab5ef9c8d2d8638ba522ebb7f4add42f8f

Download Submit
\Program Files\WinRAR\Rar.exe

Filesize
744KB

MD5
16659ae52ce03889ad19db1f5710c6aa

SHA1
66b814fe3be64229e2cc19f0a4460e123ba74971

SHA256
0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118

SHA512
f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398

Download Submit
\Program Files\WinRAR\RarExtInstaller.exe

Filesize
181KB

MD5
f5b54d16610a819bbc6099bdc92add2c

SHA1
7c680a87233ff7e75866657e9c1acf97d69f6579

SHA256
46f533007fb231d0b0af058a0997ab5e6b44a1b02ae327621f04fdc4b2e18964

SHA512
a120a2ee6c926cd6f6b8d1be68ff471294552b049baa637a474d1210fe3ca83e66d0834217d1a5eea0491d080cea1795ee328fdd4cb54f6a132be2dc2e58e4a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads