Edit tour

Windows Analysis Report
7z.exe

Overview

General Information

Sample Name:7z.exe
Analysis ID:675499
MD5:a51d90f2f9394f5ea0a3acae3bd2b219
SHA1:20fea1314dbed552d5fedee096e2050369172ee1
SHA256:ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:true
Confidence:100%

Signatures

Uses 32bit PE files
Contains functionality to communicate with device drivers
Found large amount of non-executed APIs
Tries to load missing DLLs
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64native
  • 7z.exe (PID: 420 cmdline: "C:\Users\user\Desktop\7z.exe" MD5: A51D90F2F9394F5EA0A3ACAE3BD2B219)
    • conhost.exe (PID: 428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 7z.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0040B5B4 FindFirstFileA,
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0040B658 FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0040BD93 FindFirstFileW,GetCurrentDirectoryW,
Source: 7z.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0040C175: DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,
Source: C:\Users\user\Desktop\7z.exeSection loaded: edgegdi.dll
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0041D220
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0041D2FB
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_004173C8
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_00403AE2
Source: C:\Users\user\Desktop\7z.exeCode function: String function: 00408005 appears 52 times
Source: C:\Users\user\Desktop\7z.exeCode function: String function: 0041CD20 appears 284 times
Source: 7z.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: 7z.exeString found in binary or memory: Check charset encoding and -scs switch.Cannot find listfile*BLEDARVUANAXAIXIWOMPYTBDBA-HELPH?asut0-SCRCSSCSSWSLTSCCSCSSLPADSEMLAOSOSISFXPQRXYZW0123cannot find archivethere is no such archivestdout mode and email mode cannot be combinedCannot use absolute pathnames for this commanddata errorIncorrect mapping dataMapViewOfFile errorCan not open mappingIncorrect volume size
Source: classification engineClassification label: clean4.winEXE@2/1@0/0
Source: unknownProcess created: C:\Users\user\Desktop\7z.exe "C:\Users\user\Desktop\7z.exe"
Source: C:\Users\user\Desktop\7z.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:428:304:WilStaging_02
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0041D090 push eax; ret
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0041CD20 push eax; ret
Source: C:\Users\user\Desktop\7z.exeAPI coverage: 3.9 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0040CC5A GetSystemInfo,
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0040B5B4 FindFirstFileA,
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0040B658 FindFirstFileW,FindFirstFileW,FindFirstFileW,AreFileApisANSI,FindFirstFileA,
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0040BD93 FindFirstFileW,GetCurrentDirectoryW,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0041C9D0 cpuid
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_0040CD86 GetSystemTime,SystemTimeToFileTime,
Source: C:\Users\user\Desktop\7z.exeCode function: 0_2_00406518 GetVersionExA,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Process Injection
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Deobfuscate/Decode Files or Information
LSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager14
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Obfuscated Files or Information
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 675499 Sample: 7z.exe Startdate: 29/07/2022 Architecture: WINDOWS Score: 0 5 7z.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
7z.exe0%VirustotalBrowse
7z.exe3%MetadefenderBrowse
7z.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
dual-a-0001.dc-msedge.net0%VirustotalBrowse
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
dual-a-0001.dc-msedge.net
13.107.22.200
truefalseunknown
No contacted IP infos
Joe Sandbox Version:35.0.0 Citrine
Analysis ID:675499
Start date and time: 29/07/202211:55:582022-07-29 11:55:58 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 53s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:7z.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean4.winEXE@2/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 84.3%)
  • Quality average: 78.3%
  • Quality standard deviation: 36.4%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 40.117.96.136, 51.124.57.242, 13.107.5.88
  • Excluded domains from analysis (whitelisted): www.bing.com, evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net, slscr.update.microsoft.com, e-0009.e-msedge.net, www-www.bing.com.trafficmanager.net, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, wdcpalt.microsoft.com, apimgmttmr17ij3jt5dneg64srod9jevcuajxaoube4brtu9cq.trafficmanager.net, evoke-windowsservices-tas.msedge.net, apimgmthszbjimgeglorvthkncixvpso9vnynvh3ehmsdll33a.cloudapp.net, nexusrules.officeapps.live.com, manage.devcenter.microsoft.com, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.com
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
Process:C:\Users\user\Desktop\7z.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1383
Entropy (8bit):5.050436468248732
Encrypted:false
SSDEEP:24:poXCNMJvKd5iwgyQMUgC8YOc+U5A77eJfTV5GaFSsr1ELfiGQpD:kLVKd5jgyF9C8YOcECJfxzgsJ9GQpD
MD5:8B3851F968A3B970A1FCCA2DEFE39C68
SHA1:2768D34EAF234A2F929C8F53F252B6E264D23A7D
SHA-256:71F589482703E5A0DC9B013354638D8545A12F1C1D55BFE30BFC0C5642606CB3
SHA-512:AD1466CE7BD697C05697CBDED070E864936A60847584DB969B07E649A7E0B871CD590F6E0F57A85BED1659FB1525386D6E882294CC05694A695A7AE3BE43470C
Malicious:false
Reputation:low
Preview:..7-Zip 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18....Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...].. [<@listfiles...>]....<Commands>.. a: Add files to archive.. b: Benchmark.. d: Delete files from archive.. e: Extract files from archive (without using directory names).. l: List contents of archive.. t: Test integrity of archive.. u: Update files to archive.. x: eXtract files with full paths..<Switches>.. -ai[r[-|0]]{@listfile|!wildcard}: Include archives.. -ax[r[-|0]]{@listfile|!wildcard}: eXclude archives.. -bd: Disable percentage indicator.. -i[r[-|0]]{@listfile|!wildcard}: Include filenames.. -m{Parameters}: set compression Method.. -o{Directory}: set Output directory.. -p{Password}: set Password.. -r[-|0]: Recurse subdirectories.. -scs{UTF-8 | WIN | DOS}: set charset for list files.. -sfx[{name}]: Create SFX archive.. -si[{name}]: read data from stdin.. -slt: show technical information for l (List) command.. -so: write d
File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.286113879761566
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:7z.exe
File size:163840
MD5:a51d90f2f9394f5ea0a3acae3bd2b219
SHA1:20fea1314dbed552d5fedee096e2050369172ee1
SHA256:ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f
SHA512:c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6
SSDEEP:3072:6nkCMZlG+fHlDum7uVouWEHR92dZH5TTY8A7GyH367uPlDKw:6kCMndv8WiYZH5A8sGw367Y+
TLSH:E6F36C3139F4C577D2230530CEE86BF5E0F6DA650E2248A733C94B2D6A79995C329E2D
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................................................5.............................a.....T.......Rich...........
Icon Hash:00828e8e8686b000
Entrypoint:0x41d0cc
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x4CE54F63 [Thu Nov 18 16:08:03 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:709c92fb1b0d51e4048409976b042040
Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00420E18h
push 0041D0C6h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 20h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
and dword ptr [ebp-04h], 00000000h
push 00000001h
call dword ptr [00420168h]
pop ecx
or dword ptr [0042B6A4h], FFFFFFFFh
or dword ptr [0042B6A8h], FFFFFFFFh
call dword ptr [0042016Ch]
mov ecx, dword ptr [00429694h]
mov dword ptr [eax], ecx
call dword ptr [00420170h]
mov ecx, dword ptr [00429690h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00420174h]
mov eax, dword ptr [eax]
mov dword ptr [0042B6A0h], eax
call 00007F91ECEE6E0Ah
cmp dword ptr [00429420h], 00000000h
jne 00007F91ECEE6D3Eh
push 0041D20Ch
call dword ptr [00420178h]
pop ecx
call 00007F91ECEE6DDBh
push 00427034h
push 00427030h
call 00007F91ECEE6DC6h
mov eax, dword ptr [0042968Ch]
mov dword ptr [ebp-28h], eax
lea eax, dword ptr [ebp-28h]
push eax
push dword ptr [00429688h]
lea eax, dword ptr [ebp-20h]
push eax
lea eax, dword ptr [ebp-2Ch]
push eax
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [00420180h]
push 0042702Ch
push 00427000h
call 00007F91ECEE6D93h
Programming Language:
  • [C++] VS98 (6.0) SP6 build 8804
  • [ C ] VS98 (6.0) SP6 build 8804
  • [ASM] VS2008 SP1 build 30729
  • [EXP] VC++ 6.0 SP5 build 8804
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x255880x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x310.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x200000x230.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1ef0a0x1f000False0.5815508442540323data6.527562764155281IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x200000x60cc0x6200False0.29233099489795916data4.037284112815215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x270000x46ac0x2600False0.39535361842105265data4.360042331515286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x2c0000x3100x400False0.3701171875data2.622586249566649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0x2c0600x2acdataEnglishUnited States
DLLImport
OLEAUT32.dllSysAllocString, VariantClear, VariantCopy, SysStringByteLen, SysFreeString
USER32.dllCharUpperW, CharPrevA, CharUpperA, CharNextA
ADVAPI32.dllRegQueryValueExA, RegCloseKey, RegOpenKeyExA
MSVCRT.dll_controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, ?terminate@@YAXXZ, _onexit, __dllonexit, ??1type_info@@UAE@XZ, _except_handler3, _beginthreadex, memset, wcsncmp, wcslen, memcpy, fputc, fflush, fgetc, fclose, _iob, free, malloc, memmove, memcmp, fprintf, strlen, fputs, _purecall, __CxxFrameHandler, _CxxThrowException, _isatty, _fileno
KERNEL32.dllVirtualAlloc, GetTickCount, VirtualFree, WaitForSingleObject, SetEvent, InitializeCriticalSection, MapViewOfFile, GetProcessTimes, UnmapViewOfFile, OpenEventA, GetSystemTime, SystemTimeToFileTime, FileTimeToDosDateTime, GetModuleHandleA, GlobalMemoryStatus, GetSystemInfo, FileTimeToSystemTime, CompareFileTime, GetProcAddress, GetCurrentProcess, SetEndOfFile, WriteFile, ReadFile, DeviceIoControl, SetFilePointer, GetFileSize, CreateFileA, FindNextFileW, FindNextFileA, FindFirstFileW, FindFirstFileA, FindClose, GetTempFileNameW, GetTempFileNameA, GetTempPathW, GetTempPathA, SearchPathW, SearchPathA, GetCurrentDirectoryW, SetCurrentDirectoryW, SetConsoleCtrlHandler, FileTimeToLocalFileTime, GetCommandLineW, SetFileApisToOEM, GetVersionExA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, GetConsoleMode, SetConsoleMode, GetStdHandle, MultiByteToWideChar, WideCharToMultiByte, GetLastError, FreeLibrary, LoadLibraryExA, LoadLibraryA, AreFileApisANSI, SetCurrentDirectoryA, GetModuleFileNameA, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, GetWindowsDirectoryW, CloseHandle, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, MoveFileA, SetFileAttributesW, RemoveDirectoryW, MoveFileW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, OpenFileMappingA
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found

Click to jump to process

Target ID:0
Start time:11:58:00
Start date:29/07/2022
Path:C:\Users\user\Desktop\7z.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\7z.exe"
Imagebase:0x400000
File size:163840 bytes
MD5 hash:A51D90F2F9394F5EA0A3ACAE3BD2B219
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Target ID:1
Start time:11:58:01
Start date:29/07/2022
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7522f0000
File size:875008 bytes
MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

No disassembly