Overview

overview

5

Static

static

1

cmlauncher.zip

windows7-x64

1

cmlauncher.zip

windows10-2004-x64

1

Instructions.txt

windows7-x64

1

Instructions.txt

windows10-2004-x64

1

installer.rar

windows7-x64

3

installer.rar

windows10-2004-x64

3

winrar-x64.exe

windows7-x64

5

winrar-x64.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winrar-x64.exe

  • Size

    3.3MB

  • MD5

    8a6217d94e1bcbabdd1dfcdcaa83d1b3

  • SHA1

    99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

  • SHA256

    3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

  • SHA512

    a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

  • SSDEEP

    98304:mZjOBfKqY3fhMBexKTvsCHBviBh2GB8y0mb5:mZZ7fhMB2ovFNiKGhJ

Score
5/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 60 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Modifies registry class
      PID:1556
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2136
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2360

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Event Triggered Execution

      2
      T1546

      Change Default File Association

      1
      T1546.001

      Component Object Model Hijacking

      1
      T1546.015

      Privilege Escalation

      Event Triggered Execution

      2
      T1546

      Change Default File Association

      1
      T1546.001

      Component Object Model Hijacking

      1
      T1546.015

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\WinRAR\Rar.txt
        Filesize

        107KB

        MD5

        8933d6e810668af29d7ba8f1c3b2b9ff

        SHA1

        760cbb236c4ca6e0003582aaefd72ff8b1c872aa

        SHA256

        cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7

        SHA512

        344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e

        Download Submit
      • C:\Program Files\WinRAR\WhatsNew.txt
        Filesize

        95KB

        MD5

        d4c768c52ee077eb09bac094f4af8310

        SHA1

        c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1

        SHA256

        8089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c

        SHA512

        5b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847

        Download Submit
      • C:\Program Files\WinRAR\WinRAR.chm
        Filesize

        314KB

        MD5

        81b236ef16aaa6a3936fd449b12b82a2

        SHA1

        698acb3c862c7f3ecf94971e4276e531914e67bc

        SHA256

        d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e

        SHA512

        968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769

        Download Submit
      • C:\Program Files\WinRAR\WinRAR.exe
        Filesize

        2.3MB

        MD5

        0b114fc0f4b6d49f57b3b01dd9ea6a8c

        SHA1

        23e1480c3ff3a54e712d759e9325d362bf52fabd

        SHA256

        f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

        SHA512

        e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

        Download Submit
      • \Program Files\WinRAR\Uninstall.exe
        Filesize

        412KB

        MD5

        92667e28583a9489e3cf4f1a7fd6636e

        SHA1

        faa09990ba4daae970038ed44e3841151d6e7f28

        SHA256

        9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

        SHA512

        63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

        Download Submit