SOC104 โ Malware Detected (WinRAR False Positive Investigation)
by
๐ง Summary
This investigation was triggered by a SOC104 โ Malware Detected alert involving the executable winrar600.exe.
Initial analysis suggested a potential malware detection; however, further investigation revealed that the file was downloaded from the official WinRAR website and exhibited no malicious behavior.
Threat intelligence (VirusTotal) showed only 1/70 detections, and dynamic analysis using AnyRun sandbox confirmed that the file behaved as a legitimate installer.
The alert was ultimately classified as a False Positive.
๐จ Alert Overview
- Event ID: 84
- Rule: SOC104 โ Malware Detected
- Severity: Medium
- Source Host: SusieHost
- Source IP: 172.16.17.5
- File Name: winrar600.exe
- File Hash (MD5):
c74862e16bcc2b0e02cadb7ab14e3cd6 - File Size: 2.95 MB
- Action: Allowed
๐ฅ๏ธ Endpoint Information
- Hostname: SusieHost
- Operating System: Windows 10 (64-bit)
- User Activity: Browser-based download
๐ Initial Findings
- No suspicious process activity
- No abnormal CLI usage
- No malicious browser artifacts
- Agent status reported as down
โ ๏ธ Despite limited telemetry, investigation continued using sandbox and network analysis.
๐ Network Analysis
| Attribute | Value |
|---|---|
| Process | chrome.exe |
| Parent Process | explorer.exe |
| Request Method | GET |
| URL | https://www.win-rar.com/postdownload.html |
| Action | Allowed |
๐ง Analysis
- File downloaded via browser (user-initiated action)
- URL belongs to official WinRAR website
- No suspicious parameters or obfuscation
๐ Threat Intelligence โ IP Analysis
| Field | Value |
|---|---|
| IP Address | 51.195.68.163 |
| ISP | OVH SAS |
| Country | Germany |
| Hostname | win-rar.com |
๐ Intelligence Insight
- Legitimate hosting provider
- Matches official WinRAR infrastructure
- No malicious reputation detected
๐งช Threat Intelligence โ File Analysis
๐ VirusTotal (File Hash)
| Result | Value |
|---|---|
| Detection Ratio | 1 / 70 |
| Verdict | Likely Clean |
๐ง Interpretation
- Only 1 vendor flagged the file
- Very low detection โ likely false positive
- No known malware family associated
๐งฌ Dynamic Analysis (AnyRun Sandbox)
๐ Observations
- No malicious behavior detected
- No persistence mechanisms
- No registry modifications
- No suspicious network communication
๐ง Process Activity
| Process Name | Description |
|---|---|
| winrar600.exe | Main executable |
| explorer.exe | Windows shell |
| chrome.exe | Browser |
| slui.exe | Windows licensing component |
โ๏ธ All processes are legitimate
๐ Behavioral Indicators
| Indicator | Status |
|---|---|
| Malicious File Download | โ Not Detected |
| Suspicious Network Traffic | โ Not Detected |
| Known Malicious Hash | โ Not Detected |
| Sandbox Malicious Behavior | โ Not Detected |
| Endpoint Visibility | Limited |
๐งพ Investigation Steps
- Reviewed alert metadata and file details
- Checked endpoint telemetry (process, CLI, browser)
- Identified download source from raw logs
- Verified URL legitimacy (win-rar.com)
- Performed VirusTotal hash analysis
- Observed low detection ratio (1/70)
- Executed file in AnyRun sandbox
- Confirmed absence of malicious behavior
- Correlated all findings
- Determined alert classification
๐จ Incident Response Actions
- โ Alert analyzed and investigated
- โ File verified as legitimate
- โ ๏ธ No containment required
- โ ๏ธ No remediation required
- โ ๏ธ Recommended monitoring due to agent downtime
๐ Final Verdict
| Category | Result |
|---|---|
| Malware Presence | Not Detected |
| Threat Type | Legitimate Software |
| Initial Vector | User Download |
| Host Compromise | Not Observed |
| Alert Classification | False Positive |
| Incident Severity | Low |
๐ Conclusion
This alert represents a false positive detection involving a legitimate WinRAR installer.
Although initially flagged as malware, deeper analysis showed:
- Legitimate download source
- Clean sandbox behavior
- Extremely low VirusTotal detection
No evidence of compromise or malicious activity was found.
โ ๏ธ The only concern observed was endpoint agent downtime, which should be addressed to ensure full visibility in future incidents.
tags: