022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523

Resubmissions

03-03-2024 01:34

240303-by6ttsbe94 10

03-03-2024 01:31

240303-bxkj7sbe62 7

Analysis

max time kernel
49s
max time network
55s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 01:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Ransomware/7ev3n.exe
Size

315KB
MD5

9f8bc96c96d43ecb69f883388d228754
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
SSDEEP

6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

864 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

2532 system.exe
Loads dropped DLL 2 IoCs

Processes:

7ev3n.exe

pid process

2992 7ev3n.exe
2992 7ev3n.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
864	cmd.exe

pid	process
2532	system.exe

pid	process
2992	7ev3n.exe
2992	7ev3n.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

2740 SCHTASKS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 1352 shutdown.exe
Token: SeRemoteShutdownPrivilege 1352 shutdown.exe

pid	process
2740	SCHTASKS.exe

description	pid	process
Token: SeShutdownPrivilege	1352	shutdown.exe
Token: SeRemoteShutdownPrivilege	1352	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2992 wrote to memory of 2532	2992	7ev3n.exe	system.exe
PID 2992 wrote to memory of 2532	2992	7ev3n.exe	system.exe
PID 2992 wrote to memory of 2532	2992	7ev3n.exe	system.exe
PID 2992 wrote to memory of 2532	2992	7ev3n.exe	system.exe
PID 2532 wrote to memory of 864	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 864	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 864	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 864	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2740	2532	system.exe	SCHTASKS.exe
PID 2532 wrote to memory of 2740	2532	system.exe	SCHTASKS.exe
PID 2532 wrote to memory of 2740	2532	system.exe	SCHTASKS.exe
PID 2532 wrote to memory of 2740	2532	system.exe	SCHTASKS.exe
PID 2532 wrote to memory of 2756	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2756	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2756	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2756	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2596	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2596	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2596	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2596	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2452	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2452	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2452	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2452	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2680	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2680	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2680	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2680	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2408	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2408	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2408	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2408	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2424	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2424	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2424	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2424	2532	system.exe	cmd.exe
PID 2756 wrote to memory of 2436	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 2436	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 2436	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 2436	2756	cmd.exe	reg.exe
PID 2452 wrote to memory of 1944	2452	cmd.exe	reg.exe
PID 2452 wrote to memory of 1944	2452	cmd.exe	reg.exe
PID 2452 wrote to memory of 1944	2452	cmd.exe	reg.exe
PID 2452 wrote to memory of 1944	2452	cmd.exe	reg.exe
PID 2680 wrote to memory of 524	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 524	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 524	2680	cmd.exe	reg.exe
PID 2680 wrote to memory of 524	2680	cmd.exe	reg.exe
PID 2596 wrote to memory of 676	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 676	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 676	2596	cmd.exe	reg.exe
PID 2596 wrote to memory of 676	2596	cmd.exe	reg.exe
PID 2408 wrote to memory of 472	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 472	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 472	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 472	2408	cmd.exe	reg.exe
PID 2424 wrote to memory of 760	2424	cmd.exe	reg.exe
PID 2424 wrote to memory of 760	2424	cmd.exe	reg.exe
PID 2424 wrote to memory of 760	2424	cmd.exe	reg.exe
PID 2424 wrote to memory of 760	2424	cmd.exe	reg.exe
PID 2532 wrote to memory of 2220	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2220	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2220	2532	system.exe	cmd.exe
PID 2532 wrote to memory of 2220	2532	system.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\system.exe
"C:\Users\Admin\AppData\Local\system.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\del.bat
3⤵
- Deletes itself
PID:864

C:\Windows\SysWOW64\SCHTASKS.exe
C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2740

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Modifies WinLogon for persistence
PID:2436

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:676

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
4⤵
PID:1944

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
4⤵
PID:524

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:472

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
4⤵
- UAC bypass
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
3⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
3⤵
PID:1924

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 10 -f
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\del.bat
Filesize
76B

MD5
2623d4a3f9735b4a8298ad5050eb73ef

SHA1
3dcd1491a378acd63f725bd427ecb9810dc3cea2

SHA256
01ddb9a534a1519c377c6951557207284a9a941870951797b2dfa5ed86a85709

SHA512
aff6ca24a072b2219dafaa751a011cf41b5e8f638438e79d4e1852ff33ce7dbfa87e9e36b867866b2b8bd5ae30f0267d0ce2827caea21ec73a690ae9b4e329e8

Download Submit
\Users\Admin\AppData\Local\system.exe
Filesize
315KB

MD5
e1f2ebae2414e54e5c077e5c8cd776f7

SHA1
13785be2a08581da91b81241a065d4bf24ccec58

SHA256
6d4b30131e32ce5e8f5a3251e6a28cfdaad04e0d90d844acc72b562a3579e928

SHA512
2c6593bdbcec1c9d54a68759ee8d8cfb7ab6c05c10f5e62be312b7934c2b0c8d96a3792657aa41647cace590106d520a12cf78941f3fe61714e7a96387668bec

Download Submit
memory/1720-142-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2096-141-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads