517b6a097c3c3f94a2321780bd254d6ec5f4fbf5da66ac5ab9d7328ce0acad0a

Analysis

max time kernel
126s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winrar-x64.exe
Size

3.6MB
MD5

517023aad9ad2f3200057ce0b704e196
SHA1

7612058b5f0f87327b2957d5da63a2c6e65b0ea1
SHA256

de1d9040786c80f3f40f41c98aa1f6b14fc7b6f2d3db09eceadd340327164f8e
SHA512

bef1b7268d8c2c1f6c900fe392ecf11d2cd518dfa9944fb77c29c2306d20d89052a39c45d689054173ce866be1e93d4b3097131a120cd7567092527e1f50b3e1
SSDEEP

98304:vABAG9dn8V6e3yfnjvg6Tuq1LA28xv12m2ERCHo:va9dXh6q1Lf8xv5tCI

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259438960	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64.exe
File created	C:\Program Files\WinRAR\Default32.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64.exe

Executes dropped EXE 17 IoCs

pid	Process
1992	uninstall.exe
1428	WinRAR.exe
3020	WinRAR.exe
1412	WinRAR.exe
772	WinRAR.exe
1620	WinRAR.exe
308	WinRAR.exe
2320	WinRAR.exe
2720	WinRAR.exe
2784	WinRAR.exe
2616	WinRAR.exe
2648	WinRAR.exe
2960	WinRAR.exe
1536	WinRAR.exe
2076	WinRAR.exe
1696	WinRAR.exe
2340	WinRAR.exe

Loads dropped DLL 64 IoCs

pid	Process
1252	winrar-x64.exe
1236	Process not Found
1992	uninstall.exe
1992	uninstall.exe
1992	uninstall.exe
1236	Process not Found
1992	uninstall.exe
1236	Process not Found
1236	Process not Found
1236	Process not Found
1428	WinRAR.exe
1428	WinRAR.exe
1428	WinRAR.exe
1428	WinRAR.exe
3020	WinRAR.exe
3020	WinRAR.exe
3020	WinRAR.exe
3020	WinRAR.exe
1412	WinRAR.exe
1412	WinRAR.exe
1412	WinRAR.exe
1412	WinRAR.exe
772	WinRAR.exe
772	WinRAR.exe
772	WinRAR.exe
772	WinRAR.exe
1620	WinRAR.exe
1620	WinRAR.exe
1620	WinRAR.exe
1620	WinRAR.exe
308	WinRAR.exe
308	WinRAR.exe
308	WinRAR.exe
308	WinRAR.exe
2320	WinRAR.exe
2320	WinRAR.exe
2320	WinRAR.exe
2320	WinRAR.exe
2720	WinRAR.exe
2720	WinRAR.exe
2720	WinRAR.exe
2720	WinRAR.exe
2784	WinRAR.exe
2784	WinRAR.exe
2784	WinRAR.exe
2784	WinRAR.exe
2616	WinRAR.exe
2616	WinRAR.exe
2616	WinRAR.exe
2616	WinRAR.exe
2648	WinRAR.exe
2648	WinRAR.exe
2648	WinRAR.exe
2648	WinRAR.exe
2960	WinRAR.exe
2960	WinRAR.exe
2960	WinRAR.exe
2960	WinRAR.exe
1536	WinRAR.exe
1536	WinRAR.exe
1536	WinRAR.exe
1536	WinRAR.exe
2076	WinRAR.exe
2076	WinRAR.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	WinRAR.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WinRAR.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1992	uninstall.exe
2340	WinRAR.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1252	winrar-x64.exe
1252	winrar-x64.exe
1428	WinRAR.exe
1428	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1992	1252	winrar-x64.exe	30
PID 1252 wrote to memory of 1992	1252	winrar-x64.exe	30
PID 1252 wrote to memory of 1992	1252	winrar-x64.exe	30
PID 1992 wrote to memory of 2900	1992	uninstall.exe	33
PID 1992 wrote to memory of 2900	1992	uninstall.exe	33
PID 1992 wrote to memory of 2900	1992	uninstall.exe	33
PID 1992 wrote to memory of 1428	1992	uninstall.exe	34
PID 1992 wrote to memory of 1428	1992	uninstall.exe	34
PID 1992 wrote to memory of 1428	1992	uninstall.exe	34
PID 1992 wrote to memory of 2596	1992	uninstall.exe	36
PID 1992 wrote to memory of 2596	1992	uninstall.exe	36
PID 1992 wrote to memory of 2596	1992	uninstall.exe	36
PID 1992 wrote to memory of 3020	1992	uninstall.exe	37
PID 1992 wrote to memory of 3020	1992	uninstall.exe	37
PID 1992 wrote to memory of 3020	1992	uninstall.exe	37
PID 1992 wrote to memory of 1412	1992	uninstall.exe	38
PID 1992 wrote to memory of 1412	1992	uninstall.exe	38
PID 1992 wrote to memory of 1412	1992	uninstall.exe	38
PID 1992 wrote to memory of 2024	1992	uninstall.exe	39
PID 1992 wrote to memory of 2024	1992	uninstall.exe	39
PID 1992 wrote to memory of 2024	1992	uninstall.exe	39
PID 1992 wrote to memory of 772	1992	uninstall.exe	40
PID 1992 wrote to memory of 772	1992	uninstall.exe	40
PID 1992 wrote to memory of 772	1992	uninstall.exe	40
PID 1992 wrote to memory of 2104	1992	uninstall.exe	41
PID 1992 wrote to memory of 2104	1992	uninstall.exe	41
PID 1992 wrote to memory of 2104	1992	uninstall.exe	41
PID 1992 wrote to memory of 1620	1992	uninstall.exe	42
PID 1992 wrote to memory of 1620	1992	uninstall.exe	42
PID 1992 wrote to memory of 1620	1992	uninstall.exe	42
PID 1992 wrote to memory of 2080	1992	uninstall.exe	43
PID 1992 wrote to memory of 2080	1992	uninstall.exe	43
PID 1992 wrote to memory of 2080	1992	uninstall.exe	43
PID 1992 wrote to memory of 308	1992	uninstall.exe	44
PID 1992 wrote to memory of 308	1992	uninstall.exe	44
PID 1992 wrote to memory of 308	1992	uninstall.exe	44
PID 1992 wrote to memory of 1764	1992	uninstall.exe	45
PID 1992 wrote to memory of 1764	1992	uninstall.exe	45
PID 1992 wrote to memory of 1764	1992	uninstall.exe	45
PID 1992 wrote to memory of 2320	1992	uninstall.exe	46
PID 1992 wrote to memory of 2320	1992	uninstall.exe	46
PID 1992 wrote to memory of 2320	1992	uninstall.exe	46
PID 1992 wrote to memory of 2380	1992	uninstall.exe	47
PID 1992 wrote to memory of 2380	1992	uninstall.exe	47
PID 1992 wrote to memory of 2380	1992	uninstall.exe	47
PID 1992 wrote to memory of 2768	1992	uninstall.exe	48
PID 1992 wrote to memory of 2768	1992	uninstall.exe	48
PID 1992 wrote to memory of 2768	1992	uninstall.exe	48
PID 1992 wrote to memory of 2720	1992	uninstall.exe	49
PID 1992 wrote to memory of 2720	1992	uninstall.exe	49
PID 1992 wrote to memory of 2720	1992	uninstall.exe	49
PID 1992 wrote to memory of 2652	1992	uninstall.exe	50
PID 1992 wrote to memory of 2652	1992	uninstall.exe	50
PID 1992 wrote to memory of 2652	1992	uninstall.exe	50
PID 1992 wrote to memory of 2784	1992	uninstall.exe	51
PID 1992 wrote to memory of 2784	1992	uninstall.exe	51
PID 1992 wrote to memory of 2784	1992	uninstall.exe	51
PID 1992 wrote to memory of 2616	1992	uninstall.exe	52
PID 1992 wrote to memory of 2616	1992	uninstall.exe	52
PID 1992 wrote to memory of 2616	1992	uninstall.exe	52
PID 1992 wrote to memory of 2620	1992	uninstall.exe	53
PID 1992 wrote to memory of 2620	1992	uninstall.exe	53
PID 1992 wrote to memory of 2620	1992	uninstall.exe	53
PID 1992 wrote to memory of 2648	1992	uninstall.exe	54

C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe
"C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files\WinRAR\uninstall.exe
  "C:\Program Files\WinRAR\uninstall.exe" /setup
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2900
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:1428
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2596
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3020
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1412
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2024
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:772
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2104
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1620
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2080
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:308
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:1764
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2320
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2380
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2768
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2720
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2652
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2784
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2616
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2620
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2648
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2736
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2960
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2968
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1536
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:2932
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2076
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:1388
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:1324
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\WinRAR\WhatsNew.txt
    3⤵
    PID:3008
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Order.htm

Filesize
3KB

MD5
1310b652e7362a994650ee9278424101

SHA1
b81dbbd0446891eaccfd03caf91f927c23248363

SHA256
0365aac5c65889c7533dcd3f239e8491fedfa9ef01b9ea1c91a5ef535172589f

SHA512
568f078b614432c018a3aff40051f60facbf741199988b860a1215e8fc9e27c2fe968e67bcc496a91e6f246ce9bd89995f8e47ee166c200cfcef57e85d2e50d2

Download Submit
C:\Program Files\WinRAR\Rar.exe

Filesize
768KB

MD5
32105a78abe923b50a601cb5bab6419a

SHA1
f59828e053798d581389320d26a1eadd800183bc

SHA256
4ff3d788385f89b3685d6b234100c72ee327ffc1aa94d13625eb9e92787ecee4

SHA512
6cdcc790b63118b4ca20cbe8ce06e68c0723a05e08f42f2ba727ce253c0e9bcbc6c2bee47eb37b203c019118d5e2e3bc14019693b177e13996c46ae7ac0725fe

Download Submit
C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
2132aceded754d35ab911823a9b41cb4

SHA1
e1f549ae718257f55b61bedfd0e7b9c06dc3f533

SHA256
6805c8b3fa7d4f19dbd2439e2cdbf2cf7c6e538484d800266798575a58571b70

SHA512
464142af80cd292f2558af5d1d133b27df611999322772bc4e442eb4f7bb6b7b3e7fa8dd26cc050abcbcc6d205e4298f81ea948bbe1ca12c3e126cc960cf3478

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
50KB

MD5
35bd214434c43c5d02b2be9d59a6a496

SHA1
8751490f7159ccce1a37b337824b35378c7ede63

SHA256
3458c5f059146fd519e95b01397bc063c02c618b962d1ea1034989983f4d6317

SHA512
565fe00206b80fe9ff59a89e9f7b373e93454eb2a1e80b9a02e75a6575f04915d359f54654e172bdcf0351544b1c02f87dc6e2f1e69a0d769866aeade2630086

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
323KB

MD5
53ad0a4d91e4382adfbb7a32586b0268

SHA1
d66cf7e028ef6c7b4361cd58bd6ce73bc62557aa

SHA256
af036a8fc3d84838ad5dab142a5f4dd6e939a083d1af9371af3ef3ae5428fd31

SHA512
352bb33a00d19f0310d31cfc26f66cfdb4bcdb24127f28384e1eaf9ac0b02a06d403a86e519894054e42bd6a9167536b1cff77ea27c6cced275860021e0ba943

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.2MB

MD5
d0b13a4155900291fffc4199d7a00173

SHA1
e238bc74de42670c3bbe9d0d317d07647d9389d0

SHA256
72a2899a23ee78bc8059ecbf81cfdc1003a401e460ece5bbf54a47a3cd392b8c

SHA512
41973232528fc09407aba3000fb433c7f9855b63ee83f4a20faf9bfb7554e2f0cf894f9350b7531d620bca67856728c6e39c7ad4b2bff2b0357d14991e3e448e

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
58717e9b37c9fc2aca12f7c1656ec036

SHA1
6d5928b8c69634bd2b38a5e400047bb1eb19fbdf

SHA256
a673df27689e6dfdd23687646b8b84403cef998cd1da8831686f02a6792ff643

SHA512
3c307a345fe5b8d650d2b878ec799e165c015c6894e533d90778ccbaff18a16827b8e83920c686b176c78589307feab026ec6ac055aed278a58676b309164ef4

Download Submit
\Program Files\WinRAR\RarExtInstaller.exe

Filesize
183KB

MD5
d1188336c3a61044434a7fff6aef2a2a

SHA1
51feb7c70458274ee7cf54d4ba19ae60b9aba627

SHA256
09da767371614712debc66c5136acf9fc107598e595e83e3958a8ed4c7ad04a5

SHA512
3cf25e5dc4317402665f7f832c7f18d823a2448aefbe924bc448994861b1ed60818a85e3a7b4bac6124ea0928b89f9ce24ebaed3132323e1a567dd43115809a6

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
383KB

MD5
33cecf93517f305d54609584a7d9e6bc

SHA1
5d816ed1ec543865646b78361b6f14fb0dafe33e

SHA256
288ec8500f2661a42ac531d5d7a9dc3d11d77885b3dc63ef2d3a7b75a210b5d1

SHA512
319ed031867f64c9312d8263ff5cdbd7e4c3ff77573224a4963b6ed5a1eac6ce52e607812742895ab996fb0d216daee34b00841b92f0bf6a5d56ff7efbe8a91c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads