12ef1c8127ec3465520e4cfd23605b708d81a5a2cf37ba124f018e5c094de0d9

General

Target

7z2405-x64.exe
Size

1.5MB
MD5

c73433dd532d445d099385865f62148b
SHA1

4723c45f297cc8075eac69d2ef94e7e131d3a734
SHA256

12ef1c8127ec3465520e4cfd23605b708d81a5a2cf37ba124f018e5c094de0d9
SHA512

1211c8b67652664d6f66e248856b95ca557d4fdb4ea90d30df68208055d4c94fea0d158e7e6a965eae5915312dee33f62db882bb173faec5332a17bd2fb59447
SSDEEP

49152:ZEVAbJqaITViU3qLkr7toP9KT+uv6WC+5uxe1o58:ZEVcqeUaki9oBqt+

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Executes dropped EXE 3 IoCs

Processes:

7zFM.exe7zG.exe7z.exe

pid process

2020 7zFM.exe
4404 7zG.exe
2176 7z.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

3432
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2020	7zFM.exe
4404	7zG.exe
2176	7z.exe

pid	process
3432

Drops file in Program Files directory 64 IoCs

Processes:

7z2405-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2405-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2405-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

7z2405-x64.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2405-x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2405-x64.exe

Modifies registry class 20 IoCs

Processes:

7z2405-x64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2405-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2405-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2405-x64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 2020 7zFM.exe
Token: 35 2020 7zFM.exe

description	pid	process
Token: SeRestorePrivilege	2020	7zFM.exe
Token: 35	2020	7zFM.exe

C:\Users\Admin\AppData\Local\Temp\7z2405-x64.exe
"C:\Users\Admin\AppData\Local\Temp\7z2405-x64.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2148

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe"
1⤵
- Executes dropped EXE
PID:4404

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe"
1⤵
- Executes dropped EXE
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll
Filesize
99KB

MD5
3428b9967f63c00213d6dbdb27973996

SHA1
1cf56abc2e0b71f5a927ea230c8cca073d20fc97

SHA256
56008756553ea5876fb8aad98f6f5dbca1ba14c5e53f4fa9ec318e355e146a7e

SHA512
b876b39d030818ce7879eb9bb5ff4375712cf145b7457a815880bf010215bd9dcde539e7d0877c56558e0d23a310bc75bfb9d315f9966cbda4ae02a7821980cc

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
548KB

MD5
e1e36ca1443a94afda63fff08db41d9e

SHA1
e003b8b4ad6b024c808f422b8e09257811c55ec5

SHA256
fcdf41ab5a749e82575d36365bf11e8ce9b52d05c9058cd3589c8c2c8c4f59f5

SHA512
99df04b41492108af134ab67964584e07549a1ed32329815e1f9814e5cbaf6c3ee72b3d9fd17b30347d8e22009b489f7329ed48e25422cdaf1a3775515435b6a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
960KB

MD5
b161d842906239bf2f32ad158bea57f1

SHA1
4a125d6cbeae9658e862c637aba8f8b9f3bf5cf7

SHA256
3345c48505e0906f1352499ba7cbd439ac0c509a33f04c7d678e2c960c8b9f03

SHA512
0d14c75c8e80af8246ddf122052190f5ffb1f81ffd5b752990747b7efcb566b49842219d9b26df9dbe267c9a3876d7b60158c9f08d295d0926b60dbbebc1fa3c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
691KB

MD5
ebff295ea5bb139eb04c699e1a52c286

SHA1
4d71053397304ab545f246ed6676d5927691b833

SHA256
835d114678b311e938ee235519be252b38f14f2c5117d3ee3b905f09f0615f94

SHA512
4320277436d737efb3ea04515a52ec86102a02f840b2f16d8f27673244124e149f01eee15870448710ec015c103a83f8bbf491f9928dbc1bc1b55236da8473b9

Download Submit

Analysis

Sharing