Analysis
-
max time kernel
72s -
max time network
76s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
10/01/2023, 10:48
General
-
Target
StartSetup_20221.exe
-
Size
22.5MB
-
MD5
cce8badb6b84a3b83aa294d4767d46e5
-
SHA1
8bf9c628e061998a983504f42cee1a66efce6255
-
SHA256
5a944021aa7de27a1c25aa03ccda08d901cd41368e5d37af666f263919e1bff4
-
SHA512
c171c9e655747e3c3b9166920b7371fe4f0337d32e29874e6382c859b6ba646d641fdab2d04673b561c393e1597f2fa72fdfd0c78b31ed408837881a33ec3092
-
SSDEEP
393216:0fIUILIyI6gUI5I4x6dI6/OXxx+XpVEgpKH1fxmV3FJTpdbhTrSkwJDN9/U/TDfe:0Jx6dI6/OXxx+XpVEgpCKFFFjbhJSmfe
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Roaming\7zip\History.txt
Ransom Note
HISTORY of the 7-Zip
--------------------
21.07 2021-12-26
-------------------------
- 7-Zip now can extract VHDX disk images (Microsoft Hyper-V Virtual Hard Disk v2 format).
- New switches: -spm and -im!{file_path} to exclude directories from processing
for specified paths that don't contain path separator character at the end of path.
- In the "Add to Archive" window, now it is allowed to use -m prefix for "Parameters"
field as in command line: -mparam.
- The sorting order of files in archives was slightly changed to be more consistent
for cases where the name of some directory is the same as the prefix part of the name
of another directory or file.
- TAR archives created by 7-Zip now are more consistent with archives created by GNU TAR program.
21.06 2021-11-24
-------------------------
- The window "Add to Archive" now allows to set a limit on memory usage (RAM)
that will be used for compressing.
- New switch -mmemuse={N}g / -mmemuse=p{N} to set a limit on memory usage (RAM)
for compressing and decompressing.
- Bug in versions 21.00-21.05 was fixed:
7-Zip didn't set attributes of directories during archive extracting.
- Some bugs were fixed.
21.04 beta 2021-11-02
-------------------------
- 7-Zip now reduces the number of working CPU threads for compression,
if RAM size is not enough for compression with big LZMA2 dictionary.
- 7-Zip now can create and check "file.sha256" text files that contain the list
of file names and SHA-256 checksums in format compatible with sha256sum program.
7-Zip can work with such checksum files as with archives,
but these files don't contain real file data.
The context menu commands to create and test "sha256" files:
7-Zip / CRC SHA / SHA-256 -> file.sha256
7-Zip / CRC SHA / Test Archive : Checksum
The commands for command line version:
7z a -thash file.sha256 *.txt
7z t -thash file.sha256
7z t -thash -shd. file.sha256
New -shd{dir_path} switch to set the directory that is used to check files
referenced by "file.sha256" file for "Test" operation.
If -shd{dir_path} is not specified, 7-Zip uses the directory where "file.sha256" is stored.
- New -xtd switch to exclude directory metadata records from processing.
21.03 beta 2021-07-20
-------------------------
- The maximum dictionary size for LZMA/LZMA2 compressing was increased to 4 GB (3840 MiB).
- Minor speed optimizations in LZMA/LZMA2 compressing.
21.02 alpha 2021-05-06
-------------------------
- 7-Zip now writes additional field for filename in UTF-8 encoding to zip archives.
It allows to extract correct file name from zip archives on different systems.
- The command line version of 7-Zip for macOS was released.
- The speed for LZMA and LZMA2 decompression in arm64 versions for macOS and Linux
was increased by 20%-60%.
- Some changes and improvements in ZIP, TAR and NSIS code.
21.01 alpha 2021-03-09
-------------------------
- The command line version of 7-Zip for Linux was released.
- The improvements for speed of ARM64 version using hardware CPU instructions
for AES, CRC-32, SHA-1 and SHA-256.
- The bug in versions 18.02 - 21.00 was fixed:
7-Zip could not correctly extract some ZIP archives created with xz compression method.
- Some bugs were fixed.
21.00 alpha 2021-01-19
-------------------------
- Some internal changes in code.
- Some bugs were fixed.
- New localizations: Tajik, Uzbek (Cyrillic)
20.02 alpha 2020-08-08
-------------------------
- The default number of LZMA2 chunks per solid block in 7z archive was increased to 64.
It allows to increase the compression speed for big 7z archives, if there is a big number
of CPU cores and threads.
- The speed of PPMd compressing/decompressing was increased for 7z/ZIP/RAR archives.
- The new -ssp switch. If the switch -ssp is specified, 7-Zip doesn't allow the system
to modify "Last Access Time" property of source files for archiving and hashing operations.
- Some bugs were fixed.
- New localization: Swahili.
20.00 alpha 2020-02-06
-------------------------
- 7-Zip now supports new optional match finders for LZMA/LZMA2 compression: bt5 and hc5,
that can work faster than bt4 and hc4 match finders for the data with big redundancy.
- The compression ratio was improved for Fast and Fastest compression levels with the
following default settings:
- Fastest level (-mx1) : hc5 match finder with 256 KB dictionary.
- Fast level (-mx3) : hc5 match finder with 4 MB dictionary.
- Minor speed optimizations in multithreaded LZMA/LZMA2 compression for Normal/Maximum/Ultra
compression levels.
- bzip2 decoding code was updated to support bzip2 archives, created by lbzip2 program.
- Some bugs were fixed.
- New localization: Turkmen.
19.02 alpha 2019-09-05
-------------------------
- 7-Zip now can unpack files encoded with Base64 encoding (b64 filename extension).
- 7-Zip now can use new x86/x64 hardware instructions for SHA-1 and SHA-256, supported
by AMD Ryzen and latest Intel CPUs: Ice Lake and Goldmont.
It increases
- the speed of SHA-1/SHA-256 hash value calculation,
- the speed of encryption/decryption in zip AES,
- the speed of key derivation for encryption/decryption in 7z/zip/rar archives.
- The speed of zip AES encryption and 7z/zip/rar AES decryption was increased with
the following improvements:
- 7-Zip now can use new x86/x64 VAES (AVX Vector AES) instructions, supported by
Intel Ice Lake CPU.
- The existing code of x86/x64 AES-NI was improved also.
- There is 2% speed optimization in 7-Zip benchmark's decompression.
- Some bugs were fixed.
19.00 2019-02-21
-------------------------
- Encryption strength for 7z archives was increased:
the size of random initialization vector was increased from 64-bit to 128-bit,
and the pseudo-random number generator was improved.
- Some bugs were fixed.
18.06 2018-12-30
-------------------------
- The speed for LZMA/LZMA2 compressing was increased by 3-10%,
and there are minor changes in compression ratio.
- Some bugs were fixed.
- The bug in 7-Zip 18.02-18.05 was fixed: there was memory leak in xz decoder.
- 7-Zip 18.02-18.05 used only one CPU thread for bz2 archive creation.
18.05 2018-04-30
-------------------------
- The speed for LZMA/LZMA2 compressing was increased
by 8% for fastest/fast compression levels and
by 3% for normal/maximum compression levels.
- 7-Zip now shows Properties (Info) window and CRC/SHA results window
as "list view" window instead of "message box" window.
- Some improvements in zip, hfs and dmg code.
- Previous versions of 7-Zip could work incorrectly in "Large memory pages" mode in
Windows 10 because of some BUG with "Large Pages" in Windows 10.
Now 7-Zip doesn't use "Large Pages" on Windows 10 up to revision 1709 (16299).
- The vulnerability in RAR unpacking code was fixed (CVE-2018-10115).
- Some bugs were fixed.
18.03 beta 2018-03-04
-------------------------
- The speed for single-thread LZMA/LZMA2 decoding
was increased by 30% in x64 version and by 3% in x86 version.
- 7-Zip now can use multi-threading for 7z/LZMA2 decoding,
if there are multiple independent data chunks in LZMA2 stream.
- 7-Zip now can use multi-threading for xz decoding,
if there are multiple blocks in xz stream.
- New localization: Kabyle.
- Some bugs were fixed.
18.01 2018-01-28
-------------------------
- 7-Zip now can unpack DMG archives that use LZFSE compression method.
- 7-Zip now doesn't allow update operation for archives that have read-only attribute.
- The BUG was fixed:
extracting from tar with -si switch didn't set timestamps for directories.
- Some bugs were fixed.
18.00 beta 2018-01-10
-------------------------
- 7-Zip now can unpack OBJ/COFF files.
- new -sse switch to stop archive creating, if 7-Zip can't open some input file.
- Some bugs were fixed.
17.01 beta 2017-08-28
-------------------------
- Minor speed optimization for LZMA2 (xz and 7z) multi-threading compression.
7-Zip now uses additional memory buffers for multi-block LZMA2 compression.
CPU utilization was slightly improved.
- 7-zip now creates multi-block xz archives by default. Block size can be
specified with -ms[Size]{m|g} switch.
- xz decoder now can unpack random block from multi-block xz archives.
7-Zip File Manager now can open nested multi-block xz archives
(for example, image.iso.xz) without full unpacking of xz archive.
- 7-Zip now can create zip archives from stdin to stdout.
- 7-Zip command line: @listfile now doesn't work after -- switch.
Use -i@listfile before -- switch instead.
- The BUGs were fixed:
7-Zip could add unrequired alternate file streams to WIM archives,
for commands that contain filename wildcards and -sns switch.
7-Zip 17.00 beta crashed for commands that write anti-item to 7z archive.
7-Zip 17.00 beta ignored "Use large memory pages" option.
17.00 beta 2017-04-29
-------------------------
- ZIP unpacking code was improved.
- 7-Zip now reserves file space before writing to file (for extraction from archive).
It can reduce file fragmentation.
- Some bugs were fixed. 7-Zip could crash in some cases.
- Internal changes in code.
16.04 2016-10-04
-------------------------
- The bug was fixed: 7-Zip 16.03 exe installer under Vista didn't create
links in Start / Programs menu.
- Some bugs were fixed in RAR code.
16.03 2016-09-28
-------------------------
- Installer and SFX modules now use some protection against DLL preloading attack.
- Some bugs were fixed in 7z, NSIS, SquashFS, RAR5 and another code.
16.02 2016-05-21
-------------------------
- 7-Zip now can extract multivolume ZIP archives (z01, z02, ... , zip).
- Some bugs were fixed.
15.14 2015-12-31
-------------------------
- 7-Zip File Manager:
- The code for "Open file from archive" operation was improved.
- The code for "Tools/Options" window was improved.
- The BUG was fixed: there was incorrect mouse cursor capture for
drag-and-drop operations from open archive to Explorer window.
- Some bugs were fixed.
- New localization: Yoruba.
15.12 2015-11-19
-------------------------
- The release version.
15.11 beta 2015-11-14
-------------------------
- Some bugs were fixed.
15.10 beta 2015-11-01
-------------------------
- The BUG in 9.21 - 15.09 was fixed:
7-Zip could ignore some parameters, specified for archive creation operation
for gzip and bzip2 formats in "Add to Archive" window and in command line
version (-m switch).
- Some bugs were fixed.
15.09 beta 2015-10-16
-------------------------
- 7-Zip now can extract ext2 and multivolume VMDK images.
- Some bugs were fixed.
15.08 beta 2015-10-01
-------------------------
- 7-Zip now can extract ext3 and ext4 (Linux file system) images.
- Some bugs were fixed.
15.07 beta 2015-09-17
-------------------------
- 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI images.
- 7-Zip now can extract solid WIM archives with LZMS compression.
- Some bugs were fixed.
15.06 beta 2015-08-09
-------------------------
- 7-Zip now can extract RAR5 archives.
- 7-Zip now doesn't sort files by type while adding to solid 7z archive.
- new -mqs switch to sort files by type while adding to solid 7z archive.
- The BUG in 7-Zip File Manager was fixed:
The "Move" operation to open 7z archive didn't delete empty files.
- The BUG in 15.05 was fixed:
console version added some text to the end of stdout stream, is -so switch was used.
- The BUG in 9.30 - 15.05 was fixed:
7-Zip could not open multivolume sfx RAR archive.
- Some bugs were fixed.
15.05 beta 2015-06-14
-------------------------
- 7-Zip now uses new installer.
- 7-Zip now can create 7z, xz and zip archives with 1536 MB dictionary for LZMA/LZMA2.
- 7-Zip File Manager now can operate with alternate file streams at NTFS
volumes via "File / Alternate Streams" menu command.
- 7-Zip now can extract .zipx (WinZip) archives that use xz compression.
- new optional "section size" parameter for BCJ2 filter for compression ratio improving.
Example: -mf=BCJ2:d9M, if largest executable section in files is smaller than 9 MB.
- Speed optimizations for BCJ2 filter and SHA-1 and SHA-256 calculation.
- Console version now uses stderr stream for error messages.
- Console version now shows names of processed files only in progress line by default.
- new -bb[0-3] switch to set output log level. -bb1 shows names of processed files in log.
- new -bs[o|e|p][0|1|2] switch to set stream for output messages;
o: output, e: error, p: progress line; 0: disable, 1: stdout, 2: stderr.
- new -bt switch to show execution time statistics.
- new -myx[0-9] switch to set level of file analysis.
- new -mmtf- switch to set single thread mode for filters.
- The BUG was fixed:
7-Zip didn't restore NTFS permissions for folders during extracting from WIM archives.
- The BUG was fixed:
The command line version: if the command "rn" (Rename) was called with more
than one pair of paths, 7-Zip used only first rename pair.
- The BUG was fixed:
7-Zip crashed for ZIP/LZMA/AES/AES-NI.
- The BUG in 15.01-15.02 was fixed:
7-Zip created incorrect ZIP archives, if ZipCrypto encryption was used.
7-Zip 9.20 can extract such incorrect ZIP archives.
- Some bugs were fixed.
9.38 beta 2015-01-03
-------------------------
- Some bugs were fixed.
9.36 beta 2014-12-26
-------------------------
- The BUG in command line version was fixed:
7-Zip created temporary archive in current folder during update archive
operation, if -w{Path} switch was not specified.
The fixed 7-Zip creates temporary archive in folder that contains updated archive.
- The BUG in 9.33-9.35 was fixed:
7-Zip silently ignored file reading errors during 7z or gz archive creation,
and the created archive contained only part of file that was read before error.
The fixed 7-Zip stops archive creation and it reports about error.
- Some bugs were fixed.
9.35 beta 2014-12-07
-------------------------
- The BUG was fixed:
7-Zip crashed during ZIP archive creation, if the number of CPU threads was more than 64.
- The BUG in 9.31-9.34 was fixed:
7-Zip could not correctly extract ISO archives that are larger than 4 GiB.
- The BUG in 9.33-9.34 was fixed:
The option "Compress shared files" and -ssw switch didn't work.
- The BUG in 9.26-9.34 was fixed:
7-Zip File Manager could crash for some archives open in "Flat View" mode.
- Some bugs were fixed.
9.34 alpha 2014-06-22
-------------------------
- The BUG in 9.33 was fixed:
Command line version of 7-Zip could work incorrectly, if there is relative
path in exclude filename optiton (-x) and absolute path as include filename.
- The BUG in 9.26-9.33 was fixed:
7-Zip could not open some unusual 7z archives that were created by another
software (not by 7-Zip).
- The BUG in 9.31-9.33 was fixed:
7-Zip could crash with switch -tcab.
9.33 alpha 2014-06-15
-------------------------
- 7-Zip now can show icons for 7-Zip items in Explorer's context menu.
- "Add to archive" dialog box:
- new options in "Path Mode"
- new option "Delete files after compression"
- new "NTFS" options for WIM and TAR formats:
- Store symbolic links
- Store hard links
- Store alternate data streams
- Store file security
- "Extract" dialog box:
- new optional field to set output folder name
- new option "Eliminate duplication of root folder"
- new option "Absolute pathnames" in "Path Mode".
- new option "Restore file security" (that works for WIM archives only)
- 7-Zip File Manager:
- new "File / Link" dialog box in to create symbolic links and hard links.
- Command line version:
- new -spd switch to Disable wildcard matching for file names
- new -spe switch to Eliminate duplic
Signatures
-
Registers COM server for autorun 1 TTPs 6 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 26 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\StartSetup_20221.exe"C:\Users\Admin\AppData\Local\Temp\StartSetup_20221.exe"1⤵
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.0.921691023\1212248104" -parentBuildID 20200403170909 -prefsHandle 1540 -prefMapHandle 1168 -prefsLen 1 -prefMapSize 219987 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 1616 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.3.1112808532\1767303067" -childID 1 -isForBrowser -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 156 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 2244 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5116.13.685495226\557089066" -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3444 -prefsLen 6938 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5116 "\\.\pipe\gecko-crash-server-pipe.5116" 3456 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD58b8670df5ccd10d7f43a71c9827ad659
SHA1e8cd304f4c796ea9d415c34070c347929d7df5a7
SHA25673b61b8a6e58fbfa99d7659e4bd3e4fcabeb98f12039c93eea54e09687d98498
SHA51222f6f9fb9132e3fd933f8a30423913cc0e9b095c46067537a7e869675210e4f26d13520874c9ac381df09e363794efa6397ddaeb2503120febab7f95f57ea3e2
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB