022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523

Resubmissions

03-03-2024 01:34

240303-by6ttsbe94 10

03-03-2024 01:31

240303-bxkj7sbe62 7

Analysis

max time kernel
49s
max time network
55s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 01:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Ransomware/7ev3n.exe
Size

315KB
MD5

9f8bc96c96d43ecb69f883388d228754
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
SSDEEP

6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes itself 1 IoCs

pid	Process
864	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	system.exe

Loads dropped DLL 2 IoCs

pid	Process
2992	7ev3n.exe
2992	7ev3n.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2740	SCHTASKS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1352	shutdown.exe
Token: SeRemoteShutdownPrivilege	1352	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2532	2992	7ev3n.exe	28
PID 2992 wrote to memory of 2532	2992	7ev3n.exe	28
PID 2992 wrote to memory of 2532	2992	7ev3n.exe	28
PID 2992 wrote to memory of 2532	2992	7ev3n.exe	28
PID 2532 wrote to memory of 864	2532	system.exe	29
PID 2532 wrote to memory of 864	2532	system.exe	29
PID 2532 wrote to memory of 864	2532	system.exe	29
PID 2532 wrote to memory of 864	2532	system.exe	29
PID 2532 wrote to memory of 2740	2532	system.exe	31
PID 2532 wrote to memory of 2740	2532	system.exe	31
PID 2532 wrote to memory of 2740	2532	system.exe	31
PID 2532 wrote to memory of 2740	2532	system.exe	31
PID 2532 wrote to memory of 2756	2532	system.exe	33
PID 2532 wrote to memory of 2756	2532	system.exe	33
PID 2532 wrote to memory of 2756	2532	system.exe	33
PID 2532 wrote to memory of 2756	2532	system.exe	33
PID 2532 wrote to memory of 2596	2532	system.exe	34
PID 2532 wrote to memory of 2596	2532	system.exe	34
PID 2532 wrote to memory of 2596	2532	system.exe	34
PID 2532 wrote to memory of 2596	2532	system.exe	34
PID 2532 wrote to memory of 2452	2532	system.exe	37
PID 2532 wrote to memory of 2452	2532	system.exe	37
PID 2532 wrote to memory of 2452	2532	system.exe	37
PID 2532 wrote to memory of 2452	2532	system.exe	37
PID 2532 wrote to memory of 2680	2532	system.exe	38
PID 2532 wrote to memory of 2680	2532	system.exe	38
PID 2532 wrote to memory of 2680	2532	system.exe	38
PID 2532 wrote to memory of 2680	2532	system.exe	38
PID 2532 wrote to memory of 2408	2532	system.exe	39
PID 2532 wrote to memory of 2408	2532	system.exe	39
PID 2532 wrote to memory of 2408	2532	system.exe	39
PID 2532 wrote to memory of 2408	2532	system.exe	39
PID 2532 wrote to memory of 2424	2532	system.exe	41
PID 2532 wrote to memory of 2424	2532	system.exe	41
PID 2532 wrote to memory of 2424	2532	system.exe	41
PID 2532 wrote to memory of 2424	2532	system.exe	41
PID 2756 wrote to memory of 2436	2756	cmd.exe	42
PID 2756 wrote to memory of 2436	2756	cmd.exe	42
PID 2756 wrote to memory of 2436	2756	cmd.exe	42
PID 2756 wrote to memory of 2436	2756	cmd.exe	42
PID 2452 wrote to memory of 1944	2452	cmd.exe	46
PID 2452 wrote to memory of 1944	2452	cmd.exe	46
PID 2452 wrote to memory of 1944	2452	cmd.exe	46
PID 2452 wrote to memory of 1944	2452	cmd.exe	46
PID 2680 wrote to memory of 524	2680	cmd.exe	47
PID 2680 wrote to memory of 524	2680	cmd.exe	47
PID 2680 wrote to memory of 524	2680	cmd.exe	47
PID 2680 wrote to memory of 524	2680	cmd.exe	47
PID 2596 wrote to memory of 676	2596	cmd.exe	48
PID 2596 wrote to memory of 676	2596	cmd.exe	48
PID 2596 wrote to memory of 676	2596	cmd.exe	48
PID 2596 wrote to memory of 676	2596	cmd.exe	48
PID 2408 wrote to memory of 472	2408	cmd.exe	49
PID 2408 wrote to memory of 472	2408	cmd.exe	49
PID 2408 wrote to memory of 472	2408	cmd.exe	49
PID 2408 wrote to memory of 472	2408	cmd.exe	49
PID 2424 wrote to memory of 760	2424	cmd.exe	50
PID 2424 wrote to memory of 760	2424	cmd.exe	50
PID 2424 wrote to memory of 760	2424	cmd.exe	50
PID 2424 wrote to memory of 760	2424	cmd.exe	50
PID 2532 wrote to memory of 2220	2532	system.exe	53
PID 2532 wrote to memory of 2220	2532	system.exe	53
PID 2532 wrote to memory of 2220	2532	system.exe	53
PID 2532 wrote to memory of 2220	2532	system.exe	53

C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    - Deletes itself
    PID:864
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2740
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      PID:2436
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:676
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:1944
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:524
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:472
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      PID:760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    PID:1924
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\del.bat

Filesize
76B

MD5
2623d4a3f9735b4a8298ad5050eb73ef

SHA1
3dcd1491a378acd63f725bd427ecb9810dc3cea2

SHA256
01ddb9a534a1519c377c6951557207284a9a941870951797b2dfa5ed86a85709

SHA512
aff6ca24a072b2219dafaa751a011cf41b5e8f638438e79d4e1852ff33ce7dbfa87e9e36b867866b2b8bd5ae30f0267d0ce2827caea21ec73a690ae9b4e329e8

Download Submit
\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
e1f2ebae2414e54e5c077e5c8cd776f7

SHA1
13785be2a08581da91b81241a065d4bf24ccec58

SHA256
6d4b30131e32ce5e8f5a3251e6a28cfdaad04e0d90d844acc72b562a3579e928

SHA512
2c6593bdbcec1c9d54a68759ee8d8cfb7ab6c05c10f5e62be312b7934c2b0c8d96a3792657aa41647cace590106d520a12cf78941f3fe61714e7a96387668bec

Download Submit
memory/1720-142-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2096-141-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads