1b3633e0fd0f901b02fde168de254856a37db602c25d3646bfb42db8ecbf6d8c

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7max2401.exe
Size

151KB
MD5

3bc337b701c2c04f08a5ade9e3ef101c
SHA1

6c21089c118ed85d0fa727721ceb137e90c3ab3d
SHA256

1b3633e0fd0f901b02fde168de254856a37db602c25d3646bfb42db8ecbf6d8c
SHA512

f2453a7a1bee84ceb1ec7d22e7536ad3100cb22315dd39a5c661b8f4ead9263a4aaa9096e084149a068021082e84e8f2cb7bc7ba981e4764c61241c7a07fa07d
SSDEEP

3072:l+AQEcui7mktgTlkZN4gCrOfAXQxIUxCZUM2OULELIWZ:lZQEsiJqZ2gCqTINOnLRWZ

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 1 IoCs

pid	Process
1164	7max2401.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\7-max\7max.chm	7max2401.exe
File created	C:\Program Files\7-max\History.txt	7max2401.exe
File opened for modification	C:\Program Files\7-max\readme.txt	7max2401.exe
File opened for modification	C:\Program Files\7-max\7max32.dll	7max2401.exe
File opened for modification	C:\Program Files\7-max\7maxc.exe	7max2401.exe
File created	C:\Program Files\7-max\7maxc.exe	7max2401.exe
File opened for modification	C:\Program Files\7-max\7maxs.dll	7max2401.exe
File opened for modification	C:\Program Files\7-max\7max.chm	7max2401.exe
File opened for modification	C:\Program Files\7-max\License.txt	7max2401.exe
File created	C:\Program Files\7-max\readme.txt	7max2401.exe
File opened for modification	C:\Program Files\7-max\7max.exe	7max2401.exe
File created	C:\Program Files\7-max\7max32.exe	7max2401.exe
File opened for modification	C:\Program Files\7-max\7maxc32.exe	7max2401.exe
File created	C:\Program Files\7-max\7maxs.dll	7max2401.exe
File opened for modification	C:\Program Files\7-max\7maxs32.dll	7max2401.exe
File opened for modification	C:\Program Files\7-max\History.txt	7max2401.exe
File created	C:\Program Files\7-max\7max32.dll	7max2401.exe
File opened for modification	C:\Program Files\7-max\7max32.exe	7max2401.exe
File created	C:\Program Files\7-max\7maxc32.exe	7max2401.exe
File opened for modification	C:\Program Files\7-max\Uninstall.exe	7max2401.exe
File created	C:\Program Files\7-max\Uninstall.exe	7max2401.exe
File created	C:\Program Files\7-max\7max.exe	7max2401.exe
File opened for modification	C:\Program Files\7-max\7max.dll	7max2401.exe
File created	C:\Program Files\7-max\7max.dll	7max2401.exe
File created	C:\Program Files\7-max\7maxs32.dll	7max2401.exe
File created	C:\Program Files\7-max\License.txt	7max2401.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7max2401.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe

Enumerates system info in registry 2 TTPs 32 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C2-278A-1000-000100020000}	7max2401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C2-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-max\\7maxs32.dll"	7max2401.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C2-278A-1000-000100020000}	7max2401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C2-278A-1000-000100020000}\ = "7-max Shell Extension"	7max2401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C2-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-max\\7maxs.dll"	7max2401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C2-278A-1000-000100020000}\ = "7-max Shell Extension"	7max2401.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C2-278A-1000-000100020000}\InprocServer32	7max2401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23170F69-40C2-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7max2401.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C2-278A-1000-000100020000}\InprocServer32	7max2401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C2-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7max2401.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-max	7max2401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-max\ = "{23170F69-40C2-278A-1000-000100020000}"	7max2401.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1164	7max2401.exe
Token: SeShutdownPrivilege	2248	LogonUI.exe
Token: SeShutdownPrivilege	2248	LogonUI.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2248	1968	csrss.exe	33
PID 1968 wrote to memory of 2248	1968	csrss.exe	33
PID 440 wrote to memory of 2248	440	winlogon.exe	33
PID 440 wrote to memory of 2248	440	winlogon.exe	33
PID 440 wrote to memory of 2248	440	winlogon.exe	33
PID 1968 wrote to memory of 2248	1968	csrss.exe	33
PID 1968 wrote to memory of 2248	1968	csrss.exe	33
PID 1968 wrote to memory of 2248	1968	csrss.exe	33
PID 1968 wrote to memory of 2248	1968	csrss.exe	33
PID 1968 wrote to memory of 2248	1968	csrss.exe	33
PID 1968 wrote to memory of 2248	1968	csrss.exe	33
PID 1968 wrote to memory of 2248	1968	csrss.exe	33
PID 1968 wrote to memory of 2248	1968	csrss.exe	33

C:\Users\Admin\AppData\Local\Temp\7max2401.exe
"C:\Users\Admin\AppData\Local\Temp\7max2401.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2724

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\7-max\7max.exe

Filesize
57KB

MD5
12488970b6c92a18557a92b4ad0a85e0

SHA1
418d92ec03a8fa1f11aa207fe0c8a05aa5cfe0ea

SHA256
e62697aa50664602e6ce5f9a27cea496a5fdf39e1bf7bd62a8a005e9b2759a5f

SHA512
a3bbfe8ee14e9b7b3e7fe9d7d1b21454d9b6ab924f85eff3170a13768477f2c130278ede9a374ab6101ae127f1ee349ebcc3e2e163a4cda50e99d85bb7463bf5

Download Submit
memory/2248-31-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2248-32-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2724-30-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download