Overview
overview
10Static
static
3Ransomware.7ev3n.exe
windows7-x64
Ransomware.7ev3n.exe
windows10-2004-x64
Ransomware...it.exe
windows7-x64
10Ransomware...it.exe
windows10-2004-x64
10Ransomware...us.exe
windows7-x64
10Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows7-x64
10Ransomware...er.exe
windows10-2004-x64
10MalwareCol...om.zip
windows7-x64
1MalwareCol...om.zip
windows10-2004-x64
1MalwareCol...v1.zip
windows7-x64
1MalwareCol...v1.zip
windows10-2004-x64
1MalwareCol...00.zip
windows7-x64
1MalwareCol...00.zip
windows10-2004-x64
1MalwareCol....0.zip
windows7-x64
1MalwareCol....0.zip
windows10-2004-x64
1MalwareCol....A.zip
windows7-x64
1MalwareCol....A.zip
windows10-2004-x64
1Analysis
-
max time kernel
27s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 11:28
Static task
static1
Behavioral task
behavioral1
Sample
Ransomware.7ev3n.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Ransomware.7ev3n.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
Ransomware.BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Ransomware.BadRabbit.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
Ransomware.CoronaVirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Ransomware.CoronaVirus.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
Ransomware.CryptoLocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Ransomware.CryptoLocker.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral9
Sample
MalwareCollection-master/Ransomware/Ransomware.NoMoreRansom.zip
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
MalwareCollection-master/Ransomware/Ransomware.NoMoreRansom.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
MalwareCollection-master/Ransomware/Ransomware.WannaCrypt0r.v1.zip
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
MalwareCollection-master/Ransomware/Ransomware.WannaCrypt0r.v1.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral13
Sample
MalwareCollection-master/Trojan/Trojan.000.zip
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
MalwareCollection-master/Trojan/Trojan.000.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral15
Sample
MalwareCollection-master/Trojan/Trojan.MEMZ-4.0.zip
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
MalwareCollection-master/Trojan/Trojan.MEMZ-4.0.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral17
Sample
MalwareCollection-master/Worm/Email-Worm/Email-Worm.Mylife.A.zip
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
MalwareCollection-master/Worm/Email-Worm/Email-Worm.Mylife.A.zip
Resource
win10v2004-20240221-en
Errors
General
-
Target
Ransomware.7ev3n.exe
-
Size
315KB
-
MD5
9f8bc96c96d43ecb69f883388d228754
-
SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953
-
SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
-
SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes itself 1 IoCs
pid Process 2828 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3024 system.exe -
Loads dropped DLL 2 IoCs
pid Process 1972 Ransomware.7ev3n.exe 1972 Ransomware.7ev3n.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2556 SCHTASKS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1076 shutdown.exe Token: SeRemoteShutdownPrivilege 1076 shutdown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1972 wrote to memory of 3024 1972 Ransomware.7ev3n.exe 28 PID 1972 wrote to memory of 3024 1972 Ransomware.7ev3n.exe 28 PID 1972 wrote to memory of 3024 1972 Ransomware.7ev3n.exe 28 PID 1972 wrote to memory of 3024 1972 Ransomware.7ev3n.exe 28 PID 3024 wrote to memory of 2828 3024 system.exe 29 PID 3024 wrote to memory of 2828 3024 system.exe 29 PID 3024 wrote to memory of 2828 3024 system.exe 29 PID 3024 wrote to memory of 2828 3024 system.exe 29 PID 3024 wrote to memory of 2556 3024 system.exe 30 PID 3024 wrote to memory of 2556 3024 system.exe 30 PID 3024 wrote to memory of 2556 3024 system.exe 30 PID 3024 wrote to memory of 2556 3024 system.exe 30 PID 3024 wrote to memory of 2688 3024 system.exe 33 PID 3024 wrote to memory of 2688 3024 system.exe 33 PID 3024 wrote to memory of 2688 3024 system.exe 33 PID 3024 wrote to memory of 2688 3024 system.exe 33 PID 3024 wrote to memory of 2708 3024 system.exe 34 PID 3024 wrote to memory of 2708 3024 system.exe 34 PID 3024 wrote to memory of 2708 3024 system.exe 34 PID 3024 wrote to memory of 2708 3024 system.exe 34 PID 3024 wrote to memory of 2436 3024 system.exe 37 PID 3024 wrote to memory of 2436 3024 system.exe 37 PID 3024 wrote to memory of 2436 3024 system.exe 37 PID 3024 wrote to memory of 2436 3024 system.exe 37 PID 3024 wrote to memory of 2792 3024 system.exe 38 PID 3024 wrote to memory of 2792 3024 system.exe 38 PID 3024 wrote to memory of 2792 3024 system.exe 38 PID 3024 wrote to memory of 2792 3024 system.exe 38 PID 3024 wrote to memory of 2712 3024 system.exe 39 PID 3024 wrote to memory of 2712 3024 system.exe 39 PID 3024 wrote to memory of 2712 3024 system.exe 39 PID 3024 wrote to memory of 2712 3024 system.exe 39 PID 3024 wrote to memory of 2404 3024 system.exe 47 PID 3024 wrote to memory of 2404 3024 system.exe 47 PID 3024 wrote to memory of 2404 3024 system.exe 47 PID 3024 wrote to memory of 2404 3024 system.exe 47 PID 2688 wrote to memory of 2916 2688 cmd.exe 42 PID 2688 wrote to memory of 2916 2688 cmd.exe 42 PID 2688 wrote to memory of 2916 2688 cmd.exe 42 PID 2688 wrote to memory of 2916 2688 cmd.exe 42 PID 2708 wrote to memory of 2460 2708 cmd.exe 41 PID 2708 wrote to memory of 2460 2708 cmd.exe 41 PID 2708 wrote to memory of 2460 2708 cmd.exe 41 PID 2708 wrote to memory of 2460 2708 cmd.exe 41 PID 2436 wrote to memory of 1820 2436 cmd.exe 43 PID 2436 wrote to memory of 1820 2436 cmd.exe 43 PID 2436 wrote to memory of 1820 2436 cmd.exe 43 PID 2436 wrote to memory of 1820 2436 cmd.exe 43 PID 2712 wrote to memory of 2664 2712 cmd.exe 44 PID 2712 wrote to memory of 2664 2712 cmd.exe 44 PID 2712 wrote to memory of 2664 2712 cmd.exe 44 PID 2712 wrote to memory of 2664 2712 cmd.exe 44 PID 2792 wrote to memory of 2660 2792 cmd.exe 49 PID 2792 wrote to memory of 2660 2792 cmd.exe 49 PID 2792 wrote to memory of 2660 2792 cmd.exe 49 PID 2792 wrote to memory of 2660 2792 cmd.exe 49 PID 2404 wrote to memory of 2676 2404 cmd.exe 50 PID 2404 wrote to memory of 2676 2404 cmd.exe 50 PID 2404 wrote to memory of 2676 2404 cmd.exe 50 PID 2404 wrote to memory of 2676 2404 cmd.exe 50 PID 3024 wrote to memory of 596 3024 system.exe 53 PID 3024 wrote to memory of 596 3024 system.exe 53 PID 3024 wrote to memory of 596 3024 system.exe 53 PID 3024 wrote to memory of 596 3024 system.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.7ev3n.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.7ev3n.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\del.bat3⤵
- Deletes itself
PID:2828
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2556
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:2916
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:2460
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:1820
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:2660
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:2664
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:2676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵PID:596
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵PID:1016
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2012
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1232
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5bd6cd262cc5cccb49b23151fd6ac9d83
SHA1cbb450016597875cd6616e62ec8f9a1acd4abb9a
SHA2567f35dc86053a85c2ffe7ef385ace63105cdff5fd1960be4169a72b66dcb9c2cb
SHA5126bfbb77e4050c65a74c97aefebd80bab1b61e9cad3332aa5dbe42ea8bd2c171012a9426e98e1b85e3f9ab0f48ef6501d44ef1b9318def2c994f4f26433b3ad09
-
Filesize
315KB
MD5960210c40a73291e4349cb16c26afc66
SHA1e90335ab561ca12801b22e15446c84f90ab53588
SHA256fef8a83f4105221a01de09749072671b2c6c944a5d52c15d0852cc9a4b6c4890
SHA51244a42cc7a5baab876e3a7fce4d9d05839de666577306985d8d5920f38f0150ce335c351eaa4d8f834b43abfcb26eb3aa06fbb467dc56695eacd35ad11d8a259a