| File name: | hwid-spoofer---charlootus-treats.rar |
| Full analysis: | https://app.any.run/tasks/d5685c8d-907f-47fe-922e-13079c67cfe4 |
| Verdict: | Malicious activity |
| Analysis date: | April 17, 2020, 22:04:53 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 371884112A84053B74FA04F8C60EE219 |
| SHA1: | D58A70F3ACF3F8474DBA00604D93B341F305623D |
| SHA256: | 0B478D0CB10B9E9D4201842F827EF4BF5070E3D44A80253F02209806A2A1207D |
| SSDEEP: | 196608:RCAtK1dJMpR6h5VzBMuEW+Em308TJIrdSHhn9EJzrXxp2t6UHqe93apmMbAfRvVJ:Ho1dJgY5VWuEW+Em3V2kR9EFhctFHqeb |
MALICIOUS
Application was dropped or rewritten from another process
- hardware.exe (PID: 1348)
- hardware.exe (PID: 3948)
- hwid.exe (PID: 2340)
- NICMACModifTool.exe (PID: 1740)
- NICMACModifTool.exe (PID: 2748)
- hwid.exe (PID: 2780)
Changes settings of System certificates
- hardware.exe (PID: 3948)
SUSPICIOUS
Reads internet explorer settings
- hardware.exe (PID: 3948)
Reads Internet Cache Settings
- hardware.exe (PID: 3948)
Low-level read access rights to disk partition
- hardware.exe (PID: 3948)
Executed via COM
- DllHost.exe (PID: 3188)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3196)
Adds / modifies Windows certificates
- hardware.exe (PID: 3948)
INFO
Reads settings of System Certificates
- hardware.exe (PID: 3948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
56
Monitored processes
10
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1348 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Spoofers\hardware.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Spoofers\hardware.exe | — | WinRAR.exe | |||||||||||
User: admin Company: caspue Integrity Level: MEDIUM Description: caspue Exit code: 3221226540 Version: 1, 0, 0, 0 Modules
| |||||||||||||||
| 1740 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.49351\HWID Spoofer - Charlootus' Treats\Spoofers\NICMACModifTool.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.49351\HWID Spoofer - Charlootus' Treats\Spoofers\NICMACModifTool.exe | — | WinRAR.exe | |||||||||||
User: admin Company: NIC MAC Address Modification Tool Integrity Level: MEDIUM Description: NIC MAC Address Modification Tool Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
| 1780 | "regedit.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3196.48345\HwProfileGuid_NotFoundFix.reg" | C:\Windows\regedit.exe | WinRAR.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2340 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.47281\HWID Spoofer - Charlootus' Treats\Spoofers\hwid.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.47281\HWID Spoofer - Charlootus' Treats\Spoofers\hwid.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: HWID Changer Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2748 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.49351\HWID Spoofer - Charlootus' Treats\Spoofers\NICMACModifTool.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.49351\HWID Spoofer - Charlootus' Treats\Spoofers\NICMACModifTool.exe | WinRAR.exe | ||||||||||||
User: admin Company: NIC MAC Address Modification Tool Integrity Level: HIGH Description: NIC MAC Address Modification Tool Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2780 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.47281\HWID Spoofer - Charlootus' Treats\Spoofers\hwid.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.47281\HWID Spoofer - Charlootus' Treats\Spoofers\hwid.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: HWID Changer Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2916 | "regedit.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3196.48345\HwProfileGuid_NotFoundFix.reg" | C:\Windows\regedit.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3188 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3196 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\hwid-spoofer---charlootus-treats.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 3948 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Spoofers\hardware.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Spoofers\hardware.exe | WinRAR.exe | ||||||||||||
User: admin Company: caspue Integrity Level: HIGH Description: caspue Exit code: 0 Version: 1, 0, 0, 0 Modules
| |||||||||||||||
Total events
2 100
Read events
887
Write events
1 213
Delete events
0
Modification events
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\hwid-spoofer---charlootus-treats.rar | |||
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
| Operation: | write | Name: | @C:\Windows\System32\acppage.dll,-6002 |
Value: Windows Batch File | |||
| (PID) Process: | (3196) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
| Operation: | write | Name: | @C:\Windows\regedit.exe,-309 |
Value: Registration Entries | |||
Executable files
45
Suspicious files
2
Text files
24
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Auto Spoof.bat | text | |
MD5:3F2F4B82B19146D60E7A0C4ED7FF6CF0 | SHA256:F8CD6BBD08B82B51920107FB29414181C1D6885F887A09FA8CF4EDA22B8B2FC6 | |||
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\EAC Switch\Repair.exe | executable | |
MD5:F25D5EDBA7076070D774A0E9D1443841 | SHA256:8B043784AC5244E4F16F0B95F985BF1C7F893C5ED7061B95A7C51F9D34DC850A | |||
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Cleaners\cleaner2.exe | executable | |
MD5:4DD9BD80C1B4F2F510918A897882EBE1 | SHA256:93F0E9E6D66F60AB58BF0F7B1DD1671CB4AD3C34A52358F30B7C282E22BB2E2F | |||
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Cleaners\cleaner1.exe | executable | |
MD5:6FBE881F1D6480E2E15D3EBE0F493D2D | SHA256:49B84540D5B4B8D2344C25EDB042E216592DD1DC78A5C00F2AD9457442C4581C | |||
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Spoofers\HwProfileGuid_NotFoundFix.reg | text | |
MD5:C209C1A2CF754066692FC43CABE9B131 | SHA256:3835856819FC9AA85078E5C8083637F0507290EA2AB7CC1AF7B296E8DF8E8BA0 | |||
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Cleaners\cleaner3.exe | executable | |
MD5:BB36D4578CE201DC932AB6BBC079875C | SHA256:4C831252AA6F193C4474BA74F352BEE7D00099DFAF5AC6E98AB1253E21999B4A | |||
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Auto Clean.bat | text | |
MD5:F3A087B8B8E18F7A1E667B33E5770D07 | SHA256:5EE84B3938CF686DB76870EFD479FFE3FBFF7D37B6178CD286D5F3539F88596F | |||
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\EAC Switch\_initswap | executable | |
MD5:161FD49A849C935B21924D00B3C90A57 | SHA256:804CA28BDDBC7811482D0C0C32EC7858CAF12B0686186D7AD6EF8812C1D90A11 | |||
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Spoofers\MetroFramework.dll | executable | |
MD5:34EA7F7D66563F724318E322FF08F4DB | SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49 | |||
| 3196 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3196.45949\HWID Spoofer - Charlootus' Treats\Spoofers\NICMACModifTool.exe | executable | |
MD5:61BA217427533CAB483A8868BAE1F56D | SHA256:1A32C3888B5A53AC59488B24B98EF2202598F29124B6AE8F50F4C045FB87CC7A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3948 | hardware.exe | GET | 200 | 104.18.20.226:80 | http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8EJH | US | der | 1.49 Kb | whitelisted |
3948 | hardware.exe | GET | 200 | 137.59.148.97:80 | http://www.virtualhardwares.com/English/hardware/hardware.html | IN | html | 281 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3948 | hardware.exe | 137.59.148.97:80 | www.virtualhardwares.com | PDR | IN | malicious |
3948 | hardware.exe | 104.18.20.226:80 | ocsp.globalsign.com | Cloudflare Inc | US | shared |
3948 | hardware.exe | 101.89.124.234:443 | s22.cnzz.com | China Telecom (Group) | CN | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.virtualhardwares.com |
| unknown |
s22.cnzz.com |
| suspicious |
ocsp.globalsign.com |
| whitelisted |
ocsp2.globalsign.com |
| whitelisted |