floxif | 0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566

Analysis

max time kernel
120s
max time network
109s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
Size

4.0MB
MD5

4a790c625fdacd05222a4e9cda95d030
SHA1

b13861ad929271e2987f8006ae4f4e7ed33dc7eb
SHA256

0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566
SHA512

604946a5baf29f7a6434c063426b72b66c36dea50c1ffe86f5775407217f42f25a388de33b8b64e11fa596121006366744d790c92674340779323db8ff16d0b8
SSDEEP

98304:dNRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAT:zR/gmeOqv7Ac9F0kl

Score

10^/10

floxif backdoor discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000a00000001202c-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a00000001202c-2.dat	acprotect

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 23 IoCs

pid	Process
1040	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
1248	icsys.icn.exe
1204	Process not Found
1608	explorer.exe
2192	spoolsv.exe
2748	svchost.exe
2880	spoolsv.exe
2276	uninstall.exe
556	WinRAR.exe
2096	WinRAR.exe
2788	WinRAR.exe
2544	WinRAR.exe
2116	WinRAR.exe
1676	WinRAR.exe
1276	WinRAR.exe
1976	WinRAR.exe
1960	WinRAR.exe
2232	WinRAR.exe
1360	WinRAR.exe
1516	WinRAR.exe
2428	WinRAR.exe
2236	WinRAR.exe
2332	WinRAR.exe

Loads dropped DLL 64 IoCs

pid	Process
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
1248	icsys.icn.exe
1608	explorer.exe
2192	spoolsv.exe
2748	svchost.exe
1040	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
1204	Process not Found
2276	uninstall.exe
2276	uninstall.exe
2276	uninstall.exe
1204	Process not Found
2276	uninstall.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found
556	WinRAR.exe
556	WinRAR.exe
556	WinRAR.exe
556	WinRAR.exe
2096	WinRAR.exe
2096	WinRAR.exe
2096	WinRAR.exe
2096	WinRAR.exe
2788	WinRAR.exe
2788	WinRAR.exe
2788	WinRAR.exe
2788	WinRAR.exe
2544	WinRAR.exe
2544	WinRAR.exe
2544	WinRAR.exe
2544	WinRAR.exe
2116	WinRAR.exe
2116	WinRAR.exe
2116	WinRAR.exe
2116	WinRAR.exe
1676	WinRAR.exe
1676	WinRAR.exe
1676	WinRAR.exe
1676	WinRAR.exe
1276	WinRAR.exe
1276	WinRAR.exe
1276	WinRAR.exe
1276	WinRAR.exe
1976	WinRAR.exe
1976	WinRAR.exe
1976	WinRAR.exe
1976	WinRAR.exe
1960	WinRAR.exe
1960	WinRAR.exe
1960	WinRAR.exe
1960	WinRAR.exe
2232	WinRAR.exe
2232	WinRAR.exe
2232	WinRAR.exe
2232	WinRAR.exe
1360	WinRAR.exe
1360	WinRAR.exe
1360	WinRAR.exe
1360	WinRAR.exe
1516	WinRAR.exe
1516	WinRAR.exe
1516	WinRAR.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x000a00000001202c-2.dat	upx
behavioral1/memory/2748-63-0x0000000000300000-0x000000000031F000-memory.dmp	upx
behavioral1/memory/2376-62-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2376-73-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 61 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259433765	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\License.txt	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Resources.pri	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Default32.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Order.htm	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\7zxa.dll	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Default.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Zip.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\RarExt.dll	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Rar.txt	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Descript.ion	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\Rar.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WinRAR.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1948	schtasks.exe
2244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2748	svchost.exe
1608	explorer.exe
2276	uninstall.exe
2332	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
1040	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
1040	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
1248	icsys.icn.exe
1248	icsys.icn.exe
1608	explorer.exe
1608	explorer.exe
2192	spoolsv.exe
2192	spoolsv.exe
2748	svchost.exe
2748	svchost.exe
2880	spoolsv.exe
2880	spoolsv.exe
556	WinRAR.exe
556	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1040	2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe	30
PID 2376 wrote to memory of 1040	2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe	30
PID 2376 wrote to memory of 1040	2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe	30
PID 2376 wrote to memory of 1040	2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe	30
PID 2376 wrote to memory of 1248	2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe	31
PID 2376 wrote to memory of 1248	2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe	31
PID 2376 wrote to memory of 1248	2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe	31
PID 2376 wrote to memory of 1248	2376	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe	31
PID 1248 wrote to memory of 1608	1248	icsys.icn.exe	32
PID 1248 wrote to memory of 1608	1248	icsys.icn.exe	32
PID 1248 wrote to memory of 1608	1248	icsys.icn.exe	32
PID 1248 wrote to memory of 1608	1248	icsys.icn.exe	32
PID 1608 wrote to memory of 2192	1608	explorer.exe	33
PID 1608 wrote to memory of 2192	1608	explorer.exe	33
PID 1608 wrote to memory of 2192	1608	explorer.exe	33
PID 1608 wrote to memory of 2192	1608	explorer.exe	33
PID 2192 wrote to memory of 2748	2192	spoolsv.exe	34
PID 2192 wrote to memory of 2748	2192	spoolsv.exe	34
PID 2192 wrote to memory of 2748	2192	spoolsv.exe	34
PID 2192 wrote to memory of 2748	2192	spoolsv.exe	34
PID 2748 wrote to memory of 2880	2748	svchost.exe	35
PID 2748 wrote to memory of 2880	2748	svchost.exe	35
PID 2748 wrote to memory of 2880	2748	svchost.exe	35
PID 2748 wrote to memory of 2880	2748	svchost.exe	35
PID 1608 wrote to memory of 2676	1608	explorer.exe	36
PID 1608 wrote to memory of 2676	1608	explorer.exe	36
PID 1608 wrote to memory of 2676	1608	explorer.exe	36
PID 1608 wrote to memory of 2676	1608	explorer.exe	36
PID 2748 wrote to memory of 1948	2748	svchost.exe	37
PID 2748 wrote to memory of 1948	2748	svchost.exe	37
PID 2748 wrote to memory of 1948	2748	svchost.exe	37
PID 2748 wrote to memory of 1948	2748	svchost.exe	37
PID 1040 wrote to memory of 2276	1040	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe	40
PID 1040 wrote to memory of 2276	1040	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe	40
PID 1040 wrote to memory of 2276	1040	0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe	40
PID 2276 wrote to memory of 556	2276	uninstall.exe	43
PID 2276 wrote to memory of 556	2276	uninstall.exe	43
PID 2276 wrote to memory of 556	2276	uninstall.exe	43
PID 2276 wrote to memory of 2212	2276	uninstall.exe	44
PID 2276 wrote to memory of 2212	2276	uninstall.exe	44
PID 2276 wrote to memory of 2212	2276	uninstall.exe	44
PID 2276 wrote to memory of 2096	2276	uninstall.exe	46
PID 2276 wrote to memory of 2096	2276	uninstall.exe	46
PID 2276 wrote to memory of 2096	2276	uninstall.exe	46
PID 2276 wrote to memory of 2392	2276	uninstall.exe	47
PID 2276 wrote to memory of 2392	2276	uninstall.exe	47
PID 2276 wrote to memory of 2392	2276	uninstall.exe	47
PID 2276 wrote to memory of 2788	2276	uninstall.exe	48
PID 2276 wrote to memory of 2788	2276	uninstall.exe	48
PID 2276 wrote to memory of 2788	2276	uninstall.exe	48
PID 2276 wrote to memory of 2908	2276	uninstall.exe	49
PID 2276 wrote to memory of 2908	2276	uninstall.exe	49
PID 2276 wrote to memory of 2908	2276	uninstall.exe	49
PID 2276 wrote to memory of 2544	2276	uninstall.exe	50
PID 2276 wrote to memory of 2544	2276	uninstall.exe	50
PID 2276 wrote to memory of 2544	2276	uninstall.exe	50
PID 2276 wrote to memory of 2660	2276	uninstall.exe	51
PID 2276 wrote to memory of 2660	2276	uninstall.exe	51
PID 2276 wrote to memory of 2660	2276	uninstall.exe	51
PID 2276 wrote to memory of 2116	2276	uninstall.exe	52
PID 2276 wrote to memory of 2116	2276	uninstall.exe	52
PID 2276 wrote to memory of 2116	2276	uninstall.exe	52
PID 2276 wrote to memory of 2928	2276	uninstall.exe	53
PID 2276 wrote to memory of 2928	2276	uninstall.exe	53

C:\Users\Admin\AppData\Local\Temp\0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe
"C:\Users\Admin\AppData\Local\Temp\0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- \??\c:\users\admin\appdata\local\temp\0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
  c:\users\admin\appdata\local\temp\0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:556
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:2212
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2096
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:2392
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2788
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:2908
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2544
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:2660
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2116
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:2928
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1676
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:2104
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:1436
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1276
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:1924
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1976
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1960
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:1288
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2232
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:2592
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1360
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:1996
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1516
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:1348
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      PID:2428
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:2148
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      PID:2236
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:2296
  - - C:\Program Files\WinRAR\WinRAR.exe
      "C:\Program Files\WinRAR\WinRAR.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      PID:2332
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
      4⤵
      PID:948
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1248
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2192
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:00 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1948
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:01 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2244
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Order.htm

Filesize
3KB

MD5
5c336de3b3d794322ad9e5915e3a509f

SHA1
5256262a417e9a29fe23e8cca09782c7a3532fc9

SHA256
bce29ef3b95306cb7b304fb8c3039be7157356d9f9d4e7e1c6bfbf02a117f48f

SHA512
7243c9b8eb39fc8aa10ec8b5c290e27d44fa1c245f0478b75ae77964c178d41e9c1f651f987316f1153c1a7176eecebc269ffb0c42ced5bd0b12e5cc1b95da04

Download Submit
C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
e39ac177d3c0bafe2608de3d9f5f46a3

SHA1
98fdfbb31e6eca285b61e018deddbe944d90365e

SHA256
51e8dc6cd75380b34f17bae2e9542665796d8689ddd933a1c6d8207ca76a27ee

SHA512
98465bd32c4fab73c4c65822654f7c8c7d1903954f799811347d56019a556d5de0278db4c0d94f33053220070bf04230ddbddeba16e1c409c0aa8d9a644e3378

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
daf1242b600ae3a9e1ceb1b315354e4f

SHA1
ce303563d30ad0507bd0d11705b431d908ca9a7e

SHA256
3e5f802384d53aec8d691cd8d42cc806a333f59bbd5987214de046e49c046d4f

SHA512
ae96f00856cc821430fd061209c91f6e804c9078756d7b17e82e1513671306f8e19448bd2059e0db75fd95b213fccec593d6292b292a8d7804c07e4afd2d0410

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\WinRAR\Rar.exe

Filesize
744KB

MD5
16659ae52ce03889ad19db1f5710c6aa

SHA1
66b814fe3be64229e2cc19f0a4460e123ba74971

SHA256
0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118

SHA512
f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398

Download Submit
\Program Files\WinRAR\RarExtInstaller.exe

Filesize
181KB

MD5
f5b54d16610a819bbc6099bdc92add2c

SHA1
7c680a87233ff7e75866657e9c1acf97d69f6579

SHA256
46f533007fb231d0b0af058a0997ab5e6b44a1b02ae327621f04fdc4b2e18964

SHA512
a120a2ee6c926cd6f6b8d1be68ff471294552b049baa637a474d1210fe3ca83e66d0834217d1a5eea0491d080cea1795ee328fdd4cb54f6a132be2dc2e58e4a8

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
4783f1a5f0bba7a6a40cb74bc8c41217

SHA1
a22b9dc8074296841a5a78ea41f0e2270f7b7ad7

SHA256
f376aaa0d4444d0727db5598e8377f9f1606400adbbb4772d39d1e4937d5f28c

SHA512
463dff17f06eca41ae76e3c0b2efc4ef36529aa2eaed5163eec0a912fe7802c9fb38c37acfe94b82972861aaf1acf02823a5948fbb3292bb4743641acb99841e

Download Submit
\Users\Admin\AppData\Local\Temp\0c7327804fe50c5c29fa43b70458201b99f22d3dd759f3f21b1b1edcb08c3566n.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
e91eddd5dffbdc025c6b771e817660c2

SHA1
ee57d7535fd90131575ba69760d9ea23dc411ff5

SHA256
fad14591c2c6d6b3bcbac71b32effb16f6d02d5f2507cf1ac24a40fb6db47f6b

SHA512
2ae60b86062a45d6a66e26ae9d04b45e10811239c3313fbeab18487353fc68e19a7bd8ec5895b6c4a50c9c88a24d8a459d93c6201b53dac2c27816b08ff03cf1

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
4c7bfb86f6b0d993cbeac5ba28b92193

SHA1
046f5997c3e1550ddba5f8d78e964b06de7c04d0

SHA256
9a3e154b671dc753508ab96a3e31e8b1c8ee5fdcda54eabfb4cf16a7bab61aec

SHA512
4aec93ce787e4f3c6b4a0b10bda65c525826e1935f14a73094151526c32b90d907745f09b3b52af943641d1643bb4dde0c887c53a94f38e355165dcff8e80845

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
9fdedf322ceb2aea45283d3351b831e1

SHA1
b05d9c61e01236f59c3d490b917737e62d5e1211

SHA256
885c73a44bbcbf39849a1c1885b3fcfd8b5cd889b743d18ddf59302aac6537ee

SHA512
de0f60fd1ac80fddf6b3c15501eea3f449d3258f602ca70b14903255e5af0851078740caaacad657888e612102ad72ae5580b218b716bb789d9cb80a94c9ed5b

Download Submit
memory/1248-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1248-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1608-45-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/1608-239-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/1608-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2192-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-21-0x0000000000440000-0x000000000045F000-memory.dmp

Filesize
124KB

Download
memory/2376-73-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2376-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-62-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2376-9-0x0000000000408000-0x000000000040C000-memory.dmp

Filesize
16KB

Download
memory/2376-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2376-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2748-63-0x0000000000300000-0x000000000031F000-memory.dmp

Filesize
124KB

Download
memory/2748-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2748-243-0x0000000000300000-0x000000000031F000-memory.dmp

Filesize
124KB

Download
memory/2880-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download