56876aad7e2cdb3f685ebe5fb66a08a8c5f418da061a823f91d96317d3e89fad

General

Target

7zFM.exe
Size

2.1MB
MD5

2fe0f2549f86229893dd19c6c1f308a9
SHA1

aed113015b019a3f362403a64218b4dffc905b84
SHA256

56876aad7e2cdb3f685ebe5fb66a08a8c5f418da061a823f91d96317d3e89fad
SHA512

8231f273a3703ca59b47954be08b9f0c4d3bd1cb8b17192b645d3957631a47e5d42edc23b9ca40d55a3d6c3f909c53da199571dec473bb8d0c182aad6690c793
SSDEEP

49152:q/cwmUWw4qu0YrZy0n9TpAmUguondIWpL1YQRhdVNbexGnbbWZ67ZSiw7nI6P:qkU3xY5FpAHguYLr7VNaeXR3

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3540	netsh.exe
1460	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	7zFM.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7zFM.lnk	7zFM.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7zFM = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zFM.exe\""	7zFM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7zFM = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zFM.exe\""	7zFM.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
22	2.tcp.eu.ngrok.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3140	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3540	4740	7zFM.exe	85
PID 4740 wrote to memory of 3540	4740	7zFM.exe	85
PID 4740 wrote to memory of 1460	4740	7zFM.exe	89
PID 4740 wrote to memory of 1460	4740	7zFM.exe	89
PID 4740 wrote to memory of 3140	4740	7zFM.exe	91
PID 4740 wrote to memory of 3140	4740	7zFM.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7zFM.exe
"C:\Users\Admin\AppData\Local\Temp\7zFM.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SYSTEM32\netsh.exe
  netsh firewall add allowedprogram"C:\Users\Admin\AppData\Local\Temp\7zFM.exe" "7zFM" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3540
- C:\Windows\SYSTEM32\netsh.exe
  netsh firewall add allowedprogram"C:\Users\Admin\AppData\Local\Temp\7zFM.exe" "7zFM" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1460
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "7zFM" /tr "C:\Users\Admin\AppData\Local\Temp\7zFM.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3140

C:\Users\Admin\AppData\Local\Temp\7zFM.exe
C:\Users\Admin\AppData\Local\Temp\7zFM.exe
1⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\7zFM.exe
C:\Users\Admin\AppData\Local\Temp\7zFM.exe
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7zFM.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
memory/4740-0-0x00007FFF11ED3000-0x00007FFF11ED5000-memory.dmp

Filesize
8KB

Download
memory/4740-1-0x000001F8BA0C0000-0x000001F8BA2DA000-memory.dmp

Filesize
2.1MB

Download
memory/4740-2-0x00007FFF11ED0000-0x00007FFF12991000-memory.dmp

Filesize
10.8MB

Download
memory/4740-3-0x000001F8D5880000-0x000001F8D5A80000-memory.dmp

Filesize
2.0MB

Download
memory/4740-7-0x00007FFF11ED3000-0x00007FFF11ED5000-memory.dmp

Filesize
8KB

Download
memory/4740-8-0x00007FFF11ED0000-0x00007FFF12991000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads