Analysis Overview
SHA256
3d00468448abc115a138a0d7c0e39db72bf3c46ed086926e7b9f1854835676b6
Threat Level: Known bad
The file 7-zip.zip was found to be: Known bad.
Malicious Activity Summary
NetSupport
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 20:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
NetSupport
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe
"C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| DE | 212.224.107.150:443 | tcp | |
| US | 172.67.68.212:80 | geo.netsupportsoftware.com | tcp |
| US | 172.67.68.212:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 212.68.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.107.224.212.in-addr.arpa | udp |
| US | 172.67.68.212:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
135s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4144 wrote to memory of 4644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4144 wrote to memory of 4644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4144 wrote to memory of 4644 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\HTCTL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\HTCTL32.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 660
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3764 wrote to memory of 4748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 4748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 4748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\PCICL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\PCICL32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\7-zip\client32.ini
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
134s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5080 wrote to memory of 1016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5080 wrote to memory of 1016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5080 wrote to memory of 1016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\pcicapi.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\pcicapi.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7-zip\NSM.lic
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
135s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\7-zip\nskbfltr.inf
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\7-zip\nsm_vpro.ini
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7-zip\remcmdstub.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7-zip\remcmdstub.exe
"C:\Users\Admin\AppData\Local\Temp\7-zip\remcmdstub.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f.f.f.f.5.e.a.8.b.6.d.3.0.8.0.1.f.f.f.f.5.e.a.8.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\bg.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\io.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng2.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tt.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pl.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sw.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tk.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tr.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ga.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hy.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nn.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hr.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\be.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tg.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bn.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sk.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-tw.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\History.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\br.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ext.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ja.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gu.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ms.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\License.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\et.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-cn.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip32.dll | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ar.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\el.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lij.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\readme.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\an.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kaa.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sq.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\th.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fur.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\he.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kab.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ne.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\si.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fr.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ky.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nl.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt-br.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\de.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hu.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ka.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.dll | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ro.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.dll | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\en.ttt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kk.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ast.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\az.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sv.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\yo.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ps.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sl.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fa.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt.txt | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe
"C:\Users\Admin\AppData\Local\Temp\7-zip\7z2408-x64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4520 wrote to memory of 68 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4520 wrote to memory of 68 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4520 wrote to memory of 68 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\PCICHEK.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\PCICHEK.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
134s
Max time network
135s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4896 wrote to memory of 4416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4896 wrote to memory of 4416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4896 wrote to memory of 4416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\AudioCapture.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\AudioCapture.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 600 wrote to memory of 1448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 600 wrote to memory of 1448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 600 wrote to memory of 1448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\TCCTL32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\TCCTL32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
134s
Max time network
135s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2820 wrote to memory of 4320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 4320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2820 wrote to memory of 4320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\msvcr100.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7-zip\msvcr100.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 157.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 20:19
Reported
2024-10-07 20:22
Platform
win10-20240404-en
Max time kernel
135s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\7-zip.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |