ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba

Analysis

max time kernel
66s
max time network
68s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
13/07/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7z2407-x64.exe
Size

1.5MB
MD5

f1320bd826092e99fcec85cc96a29791
SHA1

c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256

ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512

c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a
SSDEEP

24576:GE413GbD17f+xGvqTQQc3iFwInAKPfzMc2NAjBWm5HrUq3IbWpeFy:GEVp1/SFwg1bMdN6Wm5HQq3YWUg

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 1 IoCs

pid	Process
3292	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2407-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe

C:\Users\Admin\AppData\Local\Temp\7z2407-x64.exe
"C:\Users\Admin\AppData\Local\Temp\7z2407-x64.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
PID:5088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
8af282b10fd825dc83d827c1d8d23b53

SHA1
17c08d9ad0fb1537c7e6cb125ec0acbc72f2b355

SHA256
1c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca

SHA512
cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8

Download Submit