Create Interactive Tour

Windows Analysis Report
7z.exe

Overview

General Information

Sample Name:	7z.exe
Analysis ID:	675499
MD5:	a51d90f2f9394f5ea0a3acae3bd2b219
SHA1:	20fea1314dbed552d5fedee096e2050369172ee1
SHA256:	ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Uses 32bit PE files

Contains functionality to communicate with device drivers

Found large amount of non-executed APIs

Tries to load missing DLLs

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Classification

Process Tree

System is w10x64native

7z.exe (PID: 420 cmdline: "C:\Users\user\Desktop\7z.exe" MD5: A51D90F2F9394F5EA0A3ACAE3BD2B219)

conhost.exe (PID: 428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Joe Sandbox Signatures

• Compliance
• Spreading
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 7z.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0040B5B4 FindFirstFileA,
Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0040B658 FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0040BD93 FindFirstFileW,GetCurrentDirectoryW,

Source: 7z.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\7z.exe

Code function: 0_2_0040C175: DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,

Source: C:\Users\user\Desktop\7z.exe

Section loaded: edgegdi.dll

Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0041D220
Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0041D2FB
Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_004173C8
Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_00403AE2

Source: C:\Users\user\Desktop\7z.exe	Code function: String function: 00408005 appears 52 times
Source: C:\Users\user\Desktop\7z.exe	Code function: String function: 0041CD20 appears 284 times

Source: 7z.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7z.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 7z.exe

String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfile*BLEDARVUANAXAIXIWOMPYTBDBA-HELPH?asut0-SCRCSSCSSWSLTSCCSCSSLPADSEMLAOSOSISFXPQRXYZW0123cannot find archivethere is no such archivestdout mode and email mode cannot be combinedCannot use absolute pathnames for this commanddata errorIncorrect mapping dataMapViewOfFile errorCan not open mappingIncorrect volume size

Source: classification engine

Classification label: clean4.winEXE@2/1@0/0

Source: unknown	Process created: C:\Users\user\Desktop\7z.exe "C:\Users\user\Desktop\7z.exe"
Source: C:\Users\user\Desktop\7z.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:428:304:WilStaging_02

Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0041D090 push eax; ret
Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0041CD20 push eax; ret

Source: C:\Users\user\Desktop\7z.exe

API coverage: 3.9 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7z.exe

Code function: 0_2_0040CC5A GetSystemInfo,

Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0040B5B4 FindFirstFileA,
Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0040B658 FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Users\user\Desktop\7z.exe	Code function: 0_2_0040BD93 FindFirstFileW,GetCurrentDirectoryW,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7z.exe

Code function: 0_2_0041C9D0 cpuid

Source: C:\Users\user\Desktop\7z.exe

Code function: 0_2_0040CD86 GetSystemTime,SystemTimeToFileTime,

Source: C:\Users\user\Desktop\7z.exe

Code function: 0_2_00406518 GetVersionExA,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
7z.exe	0%	Virustotal	Browse
7z.exe	3%	Metadefender	Browse
7z.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
dual-a-0001.dc-msedge.net	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dual-a-0001.dc-msedge.net	13.107.22.200	true	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	675499
Start date and time: 29/07/202211:55:58	2022-07-29 11:55:58 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	7z.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 84.3%) Quality average: 78.3% Quality standard deviation: 36.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.117.96.136, 51.124.57.242, 13.107.5.88
Excluded domains from analysis (whitelisted): www.bing.com, evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net, slscr.update.microsoft.com, e-0009.e-msedge.net, www-www.bing.com.trafficmanager.net, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, wdcpalt.microsoft.com, apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net, evoke-windowsservices-tas.msedge.net, apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net, nexusrules.officeapps.live.com, manage.devcenter.microsoft.com, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\7z.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1383
Entropy (8bit):	5.050436468248732
Encrypted:	false
SSDEEP:	24:poXCNMJvKd5iwgyQMUgC8YOc+U5A77eJfTV5GaFSsr1ELfiGQpD:kLVKd5jgyF9C8YOcECJfxzgsJ9GQpD
MD5:	8B3851F968A3B970A1FCCA2DEFE39C68
SHA1:	2768D34EAF234A2F929C8F53F252B6E264D23A7D
SHA-256:	71F589482703E5A0DC9B013354638D8545A12F1C1D55BFE30BFC0C5642606CB3
SHA-512:	AD1466CE7BD697C05697CBDED070E864936A60847584DB969B07E649A7E0B871CD590F6E0F57A85BED1659FB1525386D6E882294CC05694A695A7AE3BE43470C
Malicious:	false
Reputation:	low
Preview:	..7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18....Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...].. [<@listfiles...>]....<Commands>.. a: Add files to archive.. b: Benchmark.. d: Delete files from archive.. e: Extract files from archive (without using directory names).. l: List contents of archive.. t: Test integrity of archive.. u: Update files to archive.. x: eXtract files with full paths..<Switches>.. -ai[r[-\|0]]{@listfile\|!wildcard}: Include archives.. -ax[r[-\|0]]{@listfile\|!wildcard}: eXclude archives.. -bd: Disable percentage indicator.. -i[r[-\|0]]{@listfile\|!wildcard}: Include filenames.. -m{Parameters}: set compression Method.. -o{Directory}: set Output directory.. -p{Password}: set Password.. -r[-\|0]: Recurse subdirectories.. -scs{UTF-8 \| WIN \| DOS}: set charset for list files.. -sfx[{name}]: Create SFX archive.. -si[{name}]: read data from stdin.. -slt: show technical information for l (List) command.. -so: write d

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.286113879761566
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7z.exe
File size:	163840
MD5:	a51d90f2f9394f5ea0a3acae3bd2b219
SHA1:	20fea1314dbed552d5fedee096e2050369172ee1
SHA256:	ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512:	c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
SSDEEP:	3072:6nkCMZlG+fHlDum7uVouWEHR92dZH5TTY8A7GyH367uPlDKw:6kCMndv8WiYZH5A8sGw367Y+
TLSH:	E6F36C3139F4C577D2230530CEE86BF5E0F6DA650E2248A733C94B2D6A79995C329E2D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................5.............................a.....T.......Rich...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41d0cc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE54F63 [Thu Nov 18 16:08:03 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	709c92fb1b0d51e4048409976b042040

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00420E18h
push 0041D0C6h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 20h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
and dword ptr [ebp-04h], 00000000h
push 00000001h
call dword ptr [00420168h]
pop ecx
or dword ptr [0042B6A4h], FFFFFFFFh
or dword ptr [0042B6A8h], FFFFFFFFh
call dword ptr [0042016Ch]
mov ecx, dword ptr [00429694h]
mov dword ptr [eax], ecx
call dword ptr [00420170h]
mov ecx, dword ptr [00429690h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00420174h]
mov eax, dword ptr [eax]
mov dword ptr [0042B6A0h], eax
call 00007F91ECEE6E0Ah
cmp dword ptr [00429420h], 00000000h
jne 00007F91ECEE6D3Eh
push 0041D20Ch
call dword ptr [00420178h]
pop ecx
call 00007F91ECEE6DDBh
push 00427034h
push 00427030h
call 00007F91ECEE6DC6h
mov eax, dword ptr [0042968Ch]
mov dword ptr [ebp-28h], eax
lea eax, dword ptr [ebp-28h]
push eax
push dword ptr [00429688h]
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-2Ch]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [00420180h]
push 0042702Ch
push 00427000h
call 00007F91ECEE6D93h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[ASM] VS2008 SP1 build 30729
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25588	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x310	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x20000	0x230	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ef0a	0x1f000	False	0.5815508442540323	data	6.527562764155281	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x20000	0x60cc	0x6200	False	0.29233099489795916	data	4.037284112815215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x27000	0x46ac	0x2600	False	0.39535361842105265	data	4.360042331515286	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2c000	0x310	0x400	False	0.3701171875	data	2.622586249566649	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x2c060	0x2ac	data	English	United States

Imports

DLL	Import
OLEAUT32.dll	SysAllocString, VariantClear, VariantCopy, SysStringByteLen, SysFreeString
USER32.dll	CharUpperW, CharPrevA, CharUpperA, CharNextA
ADVAPI32.dll	RegQueryValueExA, RegCloseKey, RegOpenKeyExA
MSVCRT.dll	_controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, ?terminate@@YAXXZ, _onexit, __dllonexit, ??1type_info@@UAE@XZ, _except_handler3, _beginthreadex, memset, wcsncmp, wcslen, memcpy, fputc, fflush, fgetc, fclose, _iob, free, malloc, memmove, memcmp, fprintf, strlen, fputs, _purecall, __CxxFrameHandler, _CxxThrowException, _isatty, _fileno
KERNEL32.dll	VirtualAlloc, GetTickCount, VirtualFree, WaitForSingleObject, SetEvent, InitializeCriticalSection, MapViewOfFile, GetProcessTimes, UnmapViewOfFile, OpenEventA, GetSystemTime, SystemTimeToFileTime, FileTimeToDosDateTime, GetModuleHandleA, GlobalMemoryStatus, GetSystemInfo, FileTimeToSystemTime, CompareFileTime, GetProcAddress, GetCurrentProcess, SetEndOfFile, WriteFile, ReadFile, DeviceIoControl, SetFilePointer, GetFileSize, CreateFileA, FindNextFileW, FindNextFileA, FindFirstFileW, FindFirstFileA, FindClose, GetTempFileNameW, GetTempFileNameA, GetTempPathW, GetTempPathA, SearchPathW, SearchPathA, GetCurrentDirectoryW, SetCurrentDirectoryW, SetConsoleCtrlHandler, FileTimeToLocalFileTime, GetCommandLineW, SetFileApisToOEM, GetVersionExA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, GetConsoleMode, SetConsoleMode, GetStdHandle, MultiByteToWideChar, WideCharToMultiByte, GetLastError, FreeLibrary, LoadLibraryExA, LoadLibraryA, AreFileApisANSI, SetCurrentDirectoryA, GetModuleFileNameA, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, GetWindowsDirectoryW, CloseHandle, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, MoveFileA, SetFileAttributesW, RemoveDirectoryW, MoveFileW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, OpenFileMappingA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• 7z.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	11:58:00
Start date:	29/07/2022
Path:	C:\Users\user\Desktop\7z.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7z.exe"
Imagebase:	0x400000
File size:	163840 bytes
MD5 hash:	A51D90F2F9394F5EA0A3ACAE3BD2B219
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	11:58:01
Start date:	29/07/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7522f0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7z.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: 7z.exePID: 420, Parent PID: 6500

General

File Activities

File Created

File Written

Analysis Process: conhost.exePID: 428, Parent PID: 420

General

File Activities

File Read

Disassembly

Windows Analysis Report
7z.exe