17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7z2401-x64.exe
Size

1.5MB
MD5

de644b4e1086f1315c422f359133543b
SHA1

54be86d121879b0e5d86604297c57a926d665fa8
SHA256

17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd
SHA512

714d41254352d91834a4b648d613e9b4452b93b097b5781ec5bf3ec7c310a489d3a1c409b2f0a6946822b96f6943b579910d26a5f4324b320d485e856dbdcb1a
SSDEEP

49152:8yEuRNRgYQYk6tC0tkaNuiXatTQY7quUncuTVyvn65:8yEoL7tCzlqLcuBz5

Score

7^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
4372	7zFM.exe

Loads dropped DLL 1 IoCs

pid	Process
3540	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2401-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2401-x64.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4372	7zFM.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	4372	7zFM.exe
Token: 35	4372	7zFM.exe

C:\Users\Admin\AppData\Local\Temp\7z2401-x64.exe
"C:\Users\Admin\AppData\Local\Temp\7z2401-x64.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4084

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5060

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
0bb139023eb3e17dedf9780a66e99a1a

SHA1
da841883ee156ffb2c1718e6aa20d30d4d578691

SHA256
0cdacb5eb70ca2b16ab333ee870983750103865fedb167c9d6068019b8197a4f

SHA512
ff9c15ac88bb233d9dd1dfb66a0dd9df5d87e7ae0ca282a6223fcd2ee69896056f330d9af6a4a7f913f9ed97b5bf77e8adfaa43270a7e39eaa91d039cb8f445d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
929KB

MD5
6156ebaea891ddbfcb1187f628ec7577

SHA1
778fd5d5dec21f95c5aa554567e06da8295b9a47

SHA256
4853947e14bf30ab40702c34f80fb113c45619a73f89a938f2284c786e35c9fe

SHA512
ed166095ceb46ff77e1081263aea03cb97b5d244a7e4060b6b37c847fd496a7e577f297846414ff130e01484f44f9da2566e2572c6cd69e9b419c311799a511a

Download Submit