| File name: | Ch341a Programmer V2.2.0.0.rar |
| Full analysis: | https://app.any.run/tasks/e0527007-9147-4073-907c-fd1ccf049b90 |
| Verdict: | Malicious activity |
| Analysis date: | January 09, 2024, 13:57:22 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 3B7AB456F978D1006D4AA99241871A2F |
| SHA1: | 719F58CCB123E5A0BD3E75624FF9586BF7A5DE38 |
| SHA256: | 49C307A6648C65B17A3D2BD8DB2A94A380EAAA6810A96E4575B57430996B7A72 |
| SSDEEP: | 98304:/ZV8QkzDkOiUtUjcitlJ4N0BH0ccjIm6vFi2WEj0rjaMYROSZe1Z5u6N34Tc6tuN:KqRSpFSBsq8gjZT2 |
MALICIOUS
Creates a writable file in the system directory
- drvinst.exe (PID: 956)
- SETUP.EXE (PID: 764)
SUSPICIOUS
Drops a system driver (possible attempt to evade defenses)
- SETUP.EXE (PID: 764)
- WinRAR.exe (PID: 2044)
- WinRAR.exe (PID: 2068)
- drvinst.exe (PID: 956)
Creates files in the driver directory
- drvinst.exe (PID: 956)
- SETUP.EXE (PID: 764)
Checks Windows Trust Settings
- drvinst.exe (PID: 956)
INFO
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2044)
- drvinst.exe (PID: 956)
- SETUP.EXE (PID: 764)
- WinRAR.exe (PID: 2068)
Reads the machine GUID from the registry
- drvinst.exe (PID: 956)
- SETUP.EXE (PID: 764)
Checks supported languages
- Ch341a V2.2.0.0.exe (PID: 864)
- SETUP.EXE (PID: 764)
- drvinst.exe (PID: 956)
Create files in a temporary directory
- Ch341a V2.2.0.0.exe (PID: 864)
- SETUP.EXE (PID: 764)
Application launched itself
- WinRAR.exe (PID: 2044)
Reads the computer name
- SETUP.EXE (PID: 764)
- drvinst.exe (PID: 956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
41
Monitored processes
6
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 764 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2068.17961\Ch341a V2.2.0.0\Drivers\CH341A\SETUP.EXE" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2068.17961\Ch341a V2.2.0.0\Drivers\CH341A\SETUP.EXE | WinRAR.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: EXE For Driver Installation Exit code: 0 Version: 1, 6, 8, 0 Modules
| |||||||||||||||
| 864 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\Ch341a V2.2.0.0.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\Ch341a V2.2.0.0.exe | — | WinRAR.exe | |||||||||||
User: admin Company: TTAV134 Integrity Level: MEDIUM Exit code: 0 Version: 2.2.0.0 Modules
| |||||||||||||||
| 956 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{430eb28f-9f4f-00bc-245f-6b7ea1019a5e}\CH341WDM.INF" "0" "6eddea6cf" "00000558" "WinSta0\Default" "00000550" "208" "C:\Users\admin\AppData\Local\Temp\Rar$EXa2068.17961\Ch341a V2.2.0.0\Drivers\CH341A" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2016 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2068.17961\Ch341a V2.2.0.0\Drivers\CH341A\SETUP.EXE" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2068.17961\Ch341a V2.2.0.0\Drivers\CH341A\SETUP.EXE | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: EXE For Driver Installation Exit code: 3221226540 Version: 1, 6, 8, 0 Modules
| |||||||||||||||
| 2044 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ch341a Programmer V2.2.0.0.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2068 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2044.16277\chiplist.zip | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
5 539
Read events
5 459
Write events
80
Delete events
0
Modification events
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2044) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
36
Suspicious files
54
Text files
80
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\Ch341a_changes_RU.txt | text | |
MD5:5F23794E35A4B57D83F626D719CF3F22 | SHA256:BF1E27CA3EFF0A0A9BF3C7A1A2D56FF40B088F1E388224F1A26E63C90A63B548 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\chiplist.dat | binary | |
MD5:1044EB8F916765FE612871409BB7FA66 | SHA256:BDAC37BE8483BE6740FC49AAC85FBA5D1E104E3275119AADC6974468AC48E9A8 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\Ch341a_changes.txt | text | |
MD5:CC9BBC36295B055D322039886048ABC5 | SHA256:5E79AFC3D4CF552439785C44E4A82B9BC121CE4D3ABB9D3B85E7E82AFF17DB1B | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\Doc\CH341\Programmers\ch341a_programmer_black_3.3v_5.0v_EN.pdf | ||
MD5:9D8950090702A3D89122194CE8794DFA | SHA256:4CA5358E278AC25ABCD090A2730E94F18B834FF7AA70406418FE462307EED720 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\Doc\CH341\Adapters\MICROWIRE ADAPTER FOR CH341 (EN).pdf | ||
MD5:0B73963A3F0C6FC8ADE9280E2C4B548A | SHA256:A4CE1C9B0E18282F53F01E3E594B9CDA7DCBFE5F294C03D9CD747DC137D317D3 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\chiplist.zip | compressed | |
MD5:E7FDFF3860B36FE77112C1B2F5CE3F4F | SHA256:205E315DBFCE32A52F3D04DC67A3151D141B036987D1F2D433D74FE3315BDCF3 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\Doc\CH341\Programmers\ch341a_programmer_black_3.3v_5.0v_RU.pdf | ||
MD5:223428411145931A3104C4E9FE7E18B3 | SHA256:277771395AFD929873352D4F259EE2730A6FB39E222F4A80F1BA6DD354670FE1 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\CH341DLL.DLL | executable | |
MD5:D84B4C0F270EA6EA91A0DDAD53B88C2B | SHA256:48E025E8D4D3320B273B3A2F029FB33A877EA94EE0A2A7943EE181209FC412A2 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\Doc\CH341\Adapters\MICROWIRE АДАПТЕР ДЛЯ CH341 (RU).pdf | ||
MD5:A01A5D8CC67CA23F4F89A2B909B87C2E | SHA256:2665F6DA155B4D18B24D6C3797907FECBA3F4E0754143048D45EC7D0D089CA07 | |||
| 2044 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2044.15079\Ch341a V2.2.0.0\Drivers\CH341A\CH341DLL.DLL | executable | |
MD5:D84B4C0F270EA6EA91A0DDAD53B88C2B | SHA256:48E025E8D4D3320B273B3A2F029FB33A877EA94EE0A2A7943EE181209FC412A2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |