Windows Analysis Report
7zG.exe

Overview

General Information

Sample name: 7zG.exe
Analysis ID: 1431359
MD5: 50f289df0c19484e970849aac4e6f977
SHA1: 3dc77c8830836ab844975eb002149b66da2e10be
SHA256: b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality for read data from the clipboard
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Found large amount of non-executed APIs
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Source: 7zG.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008F8A94 FindFirstFileW,FindFirstFileW,free, 0_2_008F8A94
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008F9B98 free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 0_2_008F9B98
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008F6FEC OpenClipboard,EmptyClipboard,GlobalLock,memmove,GlobalUnlock,SetClipboardData, 0_2_008F6FEC
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008F6FEC OpenClipboard,EmptyClipboard,GlobalLock,memmove,GlobalUnlock,SetClipboardData, 0_2_008F6FEC
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008FA454: DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl, 0_2_008FA454
Detected potential crypto function
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00913098 0_2_00913098
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_0092719C 0_2_0092719C
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008F8108 0_2_008F8108
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00916450 0_2_00916450
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00960460 0_2_00960460
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008F8564 0_2_008F8564
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_009106DC 0_2_009106DC
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00923704 0_2_00923704
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_0091C8B0 0_2_0091C8B0
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_0092593C 0_2_0092593C
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008FC974 0_2_008FC974
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_0090FA80 0_2_0090FA80
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_0091FB10 0_2_0091FB10
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00914D10 0_2_00914D10
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_0090FD4C 0_2_0090FD4C
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_0091EE24 0_2_0091EE24
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00904FDC 0_2_00904FDC
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00906F48 0_2_00906F48
Sample file is different than original file name gathered from version info
Source: 7zG.exe Binary or memory string: OriginalFilename vs 7zG.exe
Source: classification engine Classification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008FC47C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_008FC47C
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00908650 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle, 0_2_00908650
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008FC360 GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW, 0_2_008FC360
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00949968 _CxxThrowException,_CxxThrowException,CoCreateInstance, 0_2_00949968
Source: 7zG.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7zG.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7zG.exe String found in binary or memory: -help
Source: 7zG.exe String found in binary or memory: Check charset encoding and -scs switch.bsobbbtbdba-helph?asut012sea0-SeLockMemoryPrivilegeSeCreateSymbolicLinkPrivilegeSeRestorePrivilege
Source: 7zG.exe String found in binary or memory: fm/plugins/7-zip/add.htm
Source: 7zG.exe String found in binary or memory: a : 7-Zip limit : RAMThe operation can require big amount of RAM (memory):The operation was blocked by 7-Zipfm/plugins/7-zip/add.htm
Source: 7zG.exe String found in binary or memory: fm/plugins/7-zip/add.htm#options
Source: 7zG.exe String found in binary or memory: c LinuxDOSUnixfm/plugins/7-zip/add.htm#options
Source: C:\Users\user\Desktop\7zG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7zG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\7zG.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\7zG.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\7zG.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\7zG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\7zG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: 7zG.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_0095D44C #17,LoadLibraryW,GetProcAddress,memset,FreeLibrary,OleInitializeWOW, 0_2_0095D44C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00921242 push rcx; ret 0_2_00921243
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\7zG.exe API coverage: 1.0 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008F8A94 FindFirstFileW,FindFirstFileW,free, 0_2_008F8A94
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008F9B98 free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 0_2_008F9B98
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_008FDA4C GetSystemInfo, 0_2_008FDA4C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_0095D44C #17,LoadLibraryW,GetProcAddress,memset,FreeLibrary,OleInitializeWOW, 0_2_0095D44C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_00962810 cpuid 0_2_00962810
Source: C:\Users\user\Desktop\7zG.exe Code function: 0_2_009619C0 GetVersion,GetModuleHandleW,GetProcAddress, 0_2_009619C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1431359 Sample: 7zG.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 5 4 7zG.exe 2->4         started       
No contacted IP infos