17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd

Analysis

max time kernel
93s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7z2401-x64.exe
Size

1.5MB
MD5

de644b4e1086f1315c422f359133543b
SHA1

54be86d121879b0e5d86604297c57a926d665fa8
SHA256

17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd
SHA512

714d41254352d91834a4b648d613e9b4452b93b097b5781ec5bf3ec7c310a489d3a1c409b2f0a6946822b96f6943b579910d26a5f4324b320d485e856dbdcb1a
SSDEEP

49152:8yEuRNRgYQYk6tC0tkaNuiXatTQY7quUncuTVyvn65:8yEoL7tCzlqLcuBz5

Score

7^/10

discovery persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2401-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2401-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 3024	3364	msedge.exe	108
PID 3364 wrote to memory of 3024	3364	msedge.exe	108
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 2644	3364	msedge.exe	109
PID 3364 wrote to memory of 3508	3364	msedge.exe	110
PID 3364 wrote to memory of 3508	3364	msedge.exe	110
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111
PID 3364 wrote to memory of 3288	3364	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\7z2401-x64.exe
"C:\Users\Admin\AppData\Local\Temp\7z2401-x64.exe"
1⤵
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault34d03744hfc8bh4fd6h9a20he8802736cc46
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffeb82e46f8,0x7ffeb82e4708,0x7ffeb82e4718
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,3132785977491754923,11962305268295043959,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,3132785977491754923,11962305268295043959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,3132785977491754923,11962305268295043959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:3288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba2ab409b882836e9644fd633f74eeb7

SHA1
184b6a78fa5fc0b61ba5f70856111ad44d6c9656

SHA256
7b6b89b4a1511781b94f438cd8db78a2d63ed8eff05a908e52b03edb41028295

SHA512
2e6093513925a4f63737cb5d759880de5f7374da1981acdf9f77cf52f7e0122f0fe9752f81d73e39d10bb860e73bc4e2f0653bb91544c1a044064fb5287b8230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
010e0e5cf391cbdd86fb9fc9bfc4983b

SHA1
550d7d72b49824f1e48db1e1c3fe252c487b3a8d

SHA256
740ea6378edf60eb7daeeddf9aa44ab6d8f14bacc5ade14104085db7fc0fb424

SHA512
7d8fa6cb8e469d63d1c4eb7a2987269a78f334b1b32630810fe9dc3dc25de7712527203a4106608b8282b0cbe9a162d13cf88ce5f0b14c7f5fc088e34ed68f16

Download Submit