17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd

Analysis

max time kernel
107s
max time network
117s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
26-02-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7z2401-x64.exe
Size

1.5MB
MD5

de644b4e1086f1315c422f359133543b
SHA1

54be86d121879b0e5d86604297c57a926d665fa8
SHA256

17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd
SHA512

714d41254352d91834a4b648d613e9b4452b93b097b5781ec5bf3ec7c310a489d3a1c409b2f0a6946822b96f6943b579910d26a5f4324b320d485e856dbdcb1a
SSDEEP

49152:8yEuRNRgYQYk6tC0tkaNuiXatTQY7quUncuTVyvn65:8yEoL7tCzlqLcuBz5

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4028	7zFM.exe
1888	7zFM.exe

Loads dropped DLL 3 IoCs

pid	Process
3280	Process not Found
4028	7zFM.exe
1888	7zFM.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2401-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
408	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4028	7zFM.exe
Token: 35	4028	7zFM.exe
Token: SeRestorePrivilege	1888	7zFM.exe
Token: 35	1888	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4028	7zFM.exe
1888	7zFM.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe
408	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\7z2401-x64.exe
"C:\Users\Admin\AppData\Local\Temp\7z2401-x64.exe"
1⤵
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:4044

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\ConvertFromOpen.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4028

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\ConvertFromOpen.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
0bb139023eb3e17dedf9780a66e99a1a

SHA1
da841883ee156ffb2c1718e6aa20d30d4d578691

SHA256
0cdacb5eb70ca2b16ab333ee870983750103865fedb167c9d6068019b8197a4f

SHA512
ff9c15ac88bb233d9dd1dfb66a0dd9df5d87e7ae0ca282a6223fcd2ee69896056f330d9af6a4a7f913f9ed97b5bf77e8adfaa43270a7e39eaa91d039cb8f445d

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
325164288f23ccfff4891b050bf4a43e

SHA1
c6a2ded962d39a62da3878408fe0e3354938f81d

SHA256
1af1b530f6295207f719697184d4ab5587e2f11586da4564ce352a743e7b8ccb

SHA512
ce7765a689b15c85ee95394422a9a93d36ca803b89246edfdfcf86969b1227b52e99e7e029e5e52741f3bb41c0b8b7463e92e9f4ef7439a40e1cb70c79cade3c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
929KB

MD5
6156ebaea891ddbfcb1187f628ec7577

SHA1
778fd5d5dec21f95c5aa554567e06da8295b9a47

SHA256
4853947e14bf30ab40702c34f80fb113c45619a73f89a938f2284c786e35c9fe

SHA512
ed166095ceb46ff77e1081263aea03cb97b5d244a7e4060b6b37c847fd496a7e577f297846414ff130e01484f44f9da2566e2572c6cd69e9b419c311799a511a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads