If UAC is running, when you attempt to extract the archive it will fail to place the malware in the C:\ProgramData folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed” as shown below.
On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.
Now that CMSTray.exe is extracted to the user’s Startup folder, on the next login the executable will be launched.
Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.
Once launched, the malware will connect to http://126.96.36.199/ and download various files, including a Cobalt Strike Beacon DLL. Cobalt Strike Beacon is a penetration testing tool that is also used by criminals to gain remote access to a victim’s computer.
Downloading Cobalt Strike Beacon DLL
Once the DLL is loaded, the attackers will be able to access your computer remotely, execute commands, and spread to other computers on your network.
Indicators of Compromise
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)