Overview

overview

8

Static

static

1

cmlauncher.zip

windows7-x64

8

cmlauncher.zip

windows10-2004-x64

1

installer.rar

windows7-x64

3

installer.rar

windows10-2004-x64

3

winrar-x64.exe

windows7-x64

5

winrar-x64.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winrar-x64.exe

  • Size

    3.3MB

  • MD5

    8a6217d94e1bcbabdd1dfcdcaa83d1b3

  • SHA1

    99b81b01f277540f38ea3e96c9c6dc2a57dfeb92

  • SHA256

    3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684

  • SHA512

    a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54

  • SSDEEP

    98304:mZjOBfKqY3fhMBexKTvsCHBviBh2GB8y0mb5:mZZ7fhMB2ovFNiKGhJ

Score
5/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 60 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies system executable filetype association 2 TTPs 8 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Modifies registry class
      PID:812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\WinRAR\Rar.txt
    Filesize

    107KB

    MD5

    8933d6e810668af29d7ba8f1c3b2b9ff

    SHA1

    760cbb236c4ca6e0003582aaefd72ff8b1c872aa

    SHA256

    cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7

    SHA512

    344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e

    Download Submit
  • C:\Program Files\WinRAR\WhatsNew.txt
    Filesize

    95KB

    MD5

    d4c768c52ee077eb09bac094f4af8310

    SHA1

    c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1

    SHA256

    8089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c

    SHA512

    5b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847

    Download Submit
  • C:\Program Files\WinRAR\WinRAR.chm
    Filesize

    314KB

    MD5

    81b236ef16aaa6a3936fd449b12b82a2

    SHA1

    698acb3c862c7f3ecf94971e4276e531914e67bc

    SHA256

    d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e

    SHA512

    968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769

    Download Submit
  • C:\Program Files\WinRAR\WinRAR.exe
    Filesize

    2.3MB

    MD5

    0b114fc0f4b6d49f57b3b01dd9ea6a8c

    SHA1

    23e1480c3ff3a54e712d759e9325d362bf52fabd

    SHA256

    f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd

    SHA512

    e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573

    Download Submit
  • \Program Files\WinRAR\Uninstall.exe
    Filesize

    412KB

    MD5

    92667e28583a9489e3cf4f1a7fd6636e

    SHA1

    faa09990ba4daae970038ed44e3841151d6e7f28

    SHA256

    9147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959

    SHA512

    63555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8

    Download Submit