T1566.001 Phishing Attachment Malicious archive delivered via email
T1204.002 User Execution Malicious File User executed the malicious archive
T1574.002 Hijack Execution Flow DLL Side-Loading Malicious DLL dropped and leveraged for execution
T1547.001 Boot or Logon Autostart Execution Registry Run Keys Persistence established via registry modification
T1083 File and Directory Discovery File creation and placement in sensitive directories
The alert SOC343 WinRAR Zero-Day Path Traversal Vulnerability (CVE-2025-8088) triggered after WinRAR.exe executed on host Stewart and created a suspicious file msedge.dll in the Temp directory. Sysmon logs confirm file creation and registry modification using reg.exe, indicating persistence via a malicious DLL dropped through archive extraction.
Aug 15 2025 08:31 AM
Host Stewart (172.16.17.183). Malicious file created at C:\Users\LetsDefend\AppData\Local\Temp\msedge.dll with associated registry modification under HKU path for persistence
The alert was triggered due to exploitation of a WinRAR path traversal vulnerability allowing files to be written to unintended locations. Investigation confirms the archive was delivered via phishing email and executed by the user, resulting in creation of a malicious DLL and persistence mechanism via registry modification and startup linkage. No outbound network connections were observed, but local persistence confirms successful exploitation. The endpoint was cleaned of indicators of compromise and contained to prevent further impact
[🔬 Analysis Reports 🧪 Any.run → https://app.any.run/tasks/4cf8b0d6-6694-445e-90c7-3338bfea17cd/ 🧫 Malware Bazaar → https://bazaar.abuse.ch/sample/e0cbe8f18315a2ee781de48565dc8a087a1564557c42c66067f65c267120c894 🔍 Threat.rip → https://www.threat.rip/file/e0cbe8f18315a2ee781de48565dc8a087a1564557c42c66067f65c267120c894 🦠 VirusTotal → https://www.virustotal.com/gui/file/e0cbe8f18315a2ee781de48565dc8a087a1564557c42c66067f65c267120c894