Overview

overview

7

Static

static

3

7z2201-x64.exe

windows7-x64

Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2023 14:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    7z2201-x64.exe

  • Size

    1.5MB

  • MD5

    a6a0f7c173094f8dafef996157751ecf

  • SHA1

    c0dcae7c4c80be25661d22400466b4ea074fc580

  • SHA256

    b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

  • SHA512

    965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

  • SSDEEP

    24576:mGIyixBMj+/A2d+UKnvT+LwZWj7iDDVVYrz0rbzGTw3DoA/sk6smE:mGbj+/BpKnvyIxVV/XDoAfmE

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7z2201-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\7z2201-x64.exe"
    1⤵
    • Loads dropped DLL
    • Registers COM server for autorun
    • Drops file in Program Files directory
    • Modifies registry class
    PID:1556
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1148
  • C:\Windows\system32\CompMgmtLauncher.exe
    "C:\Windows\system32\CompMgmtLauncher.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • NTFS ADS
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1592
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:612
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1260
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:1916
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x2e8
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1944
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x1
          1⤵
            PID:560

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7-zip.dll
            Filesize

            92KB

            MD5

            c3af132ea025d289ab4841fc00bb74af

            SHA1

            0a9973d5234cc55b8b97bbb82c722b910c71cbaf

            SHA256

            56b1148a7f96f730d7085f90cadda4980d31cad527d776545c5223466f9ffb52

            SHA512

            707097953d876fa8f25bfefb19bfb3af402b8a6a5d5c35a2d84282818df4466feba63b6401b9b9f11468a2189dcc7f504c51e4590a5e32e635eb4f5710fd80b2

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            ffe947cbeba465ddc747e35557c56844

            SHA1

            6c294b58ac9eefbdc1b69bc5d836a22a03234fd3

            SHA256

            fbb7bdfd31629864bc62e1696795f0c1c497ebd6c5f37e49d91b9edf33904024

            SHA512

            25dfc35f834ae8ebc4e664d9ee83b6725c8c74ae020fb69a003d8460efa7fcfaed1c1d6fbd8d2f0e941727663704762dd943f24275b65eb60b1be74ab25a9136

            Download Submit

          • \Program Files\7-Zip\7-zip.dll
            Filesize

            92KB

            MD5

            c3af132ea025d289ab4841fc00bb74af

            SHA1

            0a9973d5234cc55b8b97bbb82c722b910c71cbaf

            SHA256

            56b1148a7f96f730d7085f90cadda4980d31cad527d776545c5223466f9ffb52

            SHA512

            707097953d876fa8f25bfefb19bfb3af402b8a6a5d5c35a2d84282818df4466feba63b6401b9b9f11468a2189dcc7f504c51e4590a5e32e635eb4f5710fd80b2

            Download Submit

          • \Program Files\7-Zip\7-zip.dll
            Filesize

            92KB

            MD5

            c3af132ea025d289ab4841fc00bb74af

            SHA1

            0a9973d5234cc55b8b97bbb82c722b910c71cbaf

            SHA256

            56b1148a7f96f730d7085f90cadda4980d31cad527d776545c5223466f9ffb52

            SHA512

            707097953d876fa8f25bfefb19bfb3af402b8a6a5d5c35a2d84282818df4466feba63b6401b9b9f11468a2189dcc7f504c51e4590a5e32e635eb4f5710fd80b2

            Download Submit

          • \Program Files\7-Zip\7zFM.exe
            Filesize

            935KB

            MD5

            d36deceeb4c9645aab2ded86608d090b

            SHA1

            912f4658c4b046fbadd084912f9126cb1ae3737b

            SHA256

            018d74ff917692124dee0a8a7e6302aecd219d79b049ad95f2f4eedea41b4a45

            SHA512

            9752a9e57dd2e6cd454ba6c2d041d884369734c2b62c53d3ec4854731c398cd6e25ac75f7a55cda9d4b4c2efb074cb2e6efcbf3080cd8cc7d9bc8c9a25f62ff2

            Download Submit

          • memory/560-316-0x0000000002820000-0x0000000002821000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1148-274-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1148-293-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1592-302-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-307-0x00000000027F0000-0x00000000027F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1592-300-0x000000001D2B0000-0x000000001D5F6000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1592-301-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-299-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-303-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-304-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-305-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-306-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-298-0x0000000003080000-0x000000000309E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1592-308-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-309-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-310-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-311-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-312-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-313-0x00000000032A0000-0x0000000003320000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1592-314-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1592-297-0x00000000027F0000-0x00000000027F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1916-315-0x00000000027C0000-0x00000000027C1000-memory.dmp

            Filesize

            4KB

            Download