Overview
overview
10Static
static
3Ransomware.7ev3n.exe
windows10-2004-x64
Ransomware...it.exe
windows10-2004-x64
10MalwareCol...le.zip
windows10-2004-x64
1MalwareCol....0.zip
windows10-2004-x64
1MalwareCol...pe.zip
windows10-2004-x64
1MalwareCol...ot.zip
windows10-2004-x64
1MalwareCol...fe.zip
windows10-2004-x64
1Resubmissions
24-02-2024 15:44
240224-s6pzqafh53 1024-02-2024 14:06
240224-relmjsdh45 1024-02-2024 11:48
240224-nyvssabe4w 3Analysis
-
max time kernel
26s -
max time network
31s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
Ransomware.7ev3n.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral2
Sample
Ransomware.BadRabbit.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
MalwareCollection-master/Trojan/Trojan.DesktopPuzzle.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral4
Sample
MalwareCollection-master/Trojan/Trojan.MEMZ-4.0.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
MalwareCollection-master/Trojan/Trojan.NoEscape.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral6
Sample
MalwareCollection-master/Trojan/Trojan.YouAreAnIdiot.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
MalwareCollection-master/Worm/Email-Worm/Email-Worm.NakedWife.zip
Resource
win10v2004-20240221-en
Errors
General
-
Target
Ransomware.7ev3n.exe
-
Size
315KB
-
MD5
9f8bc96c96d43ecb69f883388d228754
-
SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953
-
SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
-
SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 3836 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "97" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 5112 shutdown.exe Token: SeRemoteShutdownPrivilege 5112 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 4368 LogonUI.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
Ransomware.7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3576 wrote to memory of 3836 3576 Ransomware.7ev3n.exe system.exe PID 3576 wrote to memory of 3836 3576 Ransomware.7ev3n.exe system.exe PID 3576 wrote to memory of 3836 3576 Ransomware.7ev3n.exe system.exe PID 3836 wrote to memory of 1972 3836 system.exe cmd.exe PID 3836 wrote to memory of 1972 3836 system.exe cmd.exe PID 3836 wrote to memory of 1972 3836 system.exe cmd.exe PID 3836 wrote to memory of 1548 3836 system.exe SCHTASKS.exe PID 3836 wrote to memory of 1548 3836 system.exe SCHTASKS.exe PID 3836 wrote to memory of 1548 3836 system.exe SCHTASKS.exe PID 3836 wrote to memory of 3244 3836 system.exe cmd.exe PID 3836 wrote to memory of 3244 3836 system.exe cmd.exe PID 3836 wrote to memory of 3244 3836 system.exe cmd.exe PID 3836 wrote to memory of 1564 3836 system.exe cmd.exe PID 3836 wrote to memory of 1564 3836 system.exe cmd.exe PID 3836 wrote to memory of 1564 3836 system.exe cmd.exe PID 3836 wrote to memory of 2448 3836 system.exe cmd.exe PID 3836 wrote to memory of 2448 3836 system.exe cmd.exe PID 3836 wrote to memory of 2448 3836 system.exe cmd.exe PID 3836 wrote to memory of 1916 3836 system.exe cmd.exe PID 3836 wrote to memory of 1916 3836 system.exe cmd.exe PID 3836 wrote to memory of 1916 3836 system.exe cmd.exe PID 3836 wrote to memory of 2668 3836 system.exe cmd.exe PID 3836 wrote to memory of 2668 3836 system.exe cmd.exe PID 3836 wrote to memory of 2668 3836 system.exe cmd.exe PID 3836 wrote to memory of 4472 3836 system.exe cmd.exe PID 3836 wrote to memory of 4472 3836 system.exe cmd.exe PID 3836 wrote to memory of 4472 3836 system.exe cmd.exe PID 3244 wrote to memory of 4276 3244 cmd.exe reg.exe PID 3244 wrote to memory of 4276 3244 cmd.exe reg.exe PID 3244 wrote to memory of 4276 3244 cmd.exe reg.exe PID 1564 wrote to memory of 3208 1564 cmd.exe reg.exe PID 1564 wrote to memory of 3208 1564 cmd.exe reg.exe PID 1564 wrote to memory of 3208 1564 cmd.exe reg.exe PID 1916 wrote to memory of 1040 1916 cmd.exe reg.exe PID 2668 wrote to memory of 4436 2668 cmd.exe reg.exe PID 2668 wrote to memory of 4436 2668 cmd.exe reg.exe PID 2668 wrote to memory of 4436 2668 cmd.exe reg.exe PID 1916 wrote to memory of 1040 1916 cmd.exe reg.exe PID 1916 wrote to memory of 1040 1916 cmd.exe reg.exe PID 4472 wrote to memory of 1796 4472 cmd.exe reg.exe PID 4472 wrote to memory of 1796 4472 cmd.exe reg.exe PID 4472 wrote to memory of 1796 4472 cmd.exe reg.exe PID 2448 wrote to memory of 5108 2448 cmd.exe reg.exe PID 2448 wrote to memory of 5108 2448 cmd.exe reg.exe PID 2448 wrote to memory of 5108 2448 cmd.exe reg.exe PID 3836 wrote to memory of 880 3836 system.exe cmd.exe PID 3836 wrote to memory of 880 3836 system.exe cmd.exe PID 3836 wrote to memory of 880 3836 system.exe cmd.exe PID 880 wrote to memory of 3384 880 cmd.exe reg.exe PID 880 wrote to memory of 3384 880 cmd.exe reg.exe PID 880 wrote to memory of 3384 880 cmd.exe reg.exe PID 3836 wrote to memory of 3624 3836 system.exe cmd.exe PID 3836 wrote to memory of 3624 3836 system.exe cmd.exe PID 3836 wrote to memory of 3624 3836 system.exe cmd.exe PID 3624 wrote to memory of 5112 3624 cmd.exe shutdown.exe PID 3624 wrote to memory of 5112 3624 cmd.exe shutdown.exe PID 3624 wrote to memory of 5112 3624 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.7ev3n.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.7ev3n.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\del.batFilesize
76B
MD5bd6cd262cc5cccb49b23151fd6ac9d83
SHA1cbb450016597875cd6616e62ec8f9a1acd4abb9a
SHA2567f35dc86053a85c2ffe7ef385ace63105cdff5fd1960be4169a72b66dcb9c2cb
SHA5126bfbb77e4050c65a74c97aefebd80bab1b61e9cad3332aa5dbe42ea8bd2c171012a9426e98e1b85e3f9ab0f48ef6501d44ef1b9318def2c994f4f26433b3ad09
-
C:\Users\Admin\AppData\Local\system.exeFilesize
315KB
MD590d9f15072bcd2228bca64f29252852d
SHA1f144e48e228275172eb6c4c01958a9557f7cd2fa
SHA2567b1a257df5e92baa4742fc667ca79799ef8fffd5e52b9522b3bc1413e57242b4
SHA5123f5cd820e8dd456cebd99bfca9234b5c735a434069cc4df0a390a6c72c45306c85dc3f4c3d093f998f65cd5fbea2a6c1ea03659bb184a796206d50eb4e4e9b0a