Overview
overview
10Static
static
7Ransomware...er.exe
windows10-2004-x64
8Ransomware/7ev3n.exe
windows10-2004-x64
Ransomware...le.exe
windows10-2004-x64
Ransomware...it.exe
windows10-2004-x64
10Ransomware/Birele.exe
windows10-2004-x64
10Ransomware...r5.exe
windows10-2004-x64
8Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows10-2004-x64
10Ransomware...ll.exe
windows10-2004-x64
7Ransomware...ck.exe
windows10-2004-x64
7Ransomware/Dharma.exe
windows10-2004-x64
9Ransomware/Fantom.exe
windows10-2004-x64
10Ransomware...ab.exe
windows10-2004-x64
7Ransomware...ye.exe
windows10-2004-x64
10Ransomware...Eye.js
windows10-2004-x64
10Ransomware...pt.exe
windows10-2004-x64
10Ransomware...en.exe
windows10-2004-x64
8Ransomware...AZ.dll
windows10-2004-x64
3Ransomware...om.exe
windows10-2004-x64
10Ransomware...ya.exe
windows10-2004-x64
10Ransomware...ap.exe
windows10-2004-x64
1Ransomware....A.exe
windows10-2004-x64
6Ransomware...om.exe
windows10-2004-x64
10Ransomware...nt.exe
windows10-2004-x64
Ransomware...ot.exe
windows10-2004-x64
Ransomware/RedEye.exe
windows10-2004-x64
Ransomware...re.exe
windows10-2004-x64
7Ransomware/Rokku.exe
windows10-2004-x64
10Ransomware/Satana.exe
windows10-2004-x64
5Ransomware/Seftad.exe
windows10-2004-x64
6Ransomware...re.exe
windows10-2004-x64
10Ransomware/UIWIX.dll
windows10-2004-x64
1Analysis
-
max time kernel
72s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
03-03-2024 13:53
Behavioral task
behavioral1
Sample
Ransomware/$uckyLocker.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral2
Sample
Ransomware/7ev3n.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral3
Sample
Ransomware/Annabelle.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral4
Sample
Ransomware/BadRabbit.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral5
Sample
Ransomware/Birele.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral6
Sample
Ransomware/Cerber5.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral7
Sample
Ransomware/CoronaVirus.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral8
Sample
Ransomware/CryptoLocker.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral9
Sample
Ransomware/CryptoWall.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral10
Sample
Ransomware/DeriaLock.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral11
Sample
Ransomware/Dharma.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral12
Sample
Ransomware/Fantom.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral13
Sample
Ransomware/GandCrab.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral14
Sample
Ransomware/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral15
Sample
Ransomware/GoldenEye/GoldenEye.js
Resource
win10v2004-20240226-uk
Behavioral task
behavioral16
Sample
Ransomware/InfinityCrypt.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral17
Sample
Ransomware/Krotten.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral18
Sample
Ransomware/Locky.AZ.dll
Resource
win10v2004-20240226-uk
Behavioral task
behavioral19
Sample
Ransomware/NoMoreRansom.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral20
Sample
Ransomware/NotPetya.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral21
Sample
Ransomware/PetrWrap.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral22
Sample
Ransomware/Petya.A.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral23
Sample
Ransomware/PolyRansom.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral24
Sample
Ransomware/PowerPoint.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral25
Sample
Ransomware/RedBoot.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral26
Sample
Ransomware/RedEye.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral27
Sample
Ransomware/Rensenware.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral28
Sample
Ransomware/Rokku.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral29
Sample
Ransomware/Satana.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral30
Sample
Ransomware/Seftad.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral31
Sample
Ransomware/SporaRansomware.exe
Resource
win10v2004-20240226-uk
Behavioral task
behavioral32
Sample
Ransomware/UIWIX.dll
Resource
win10v2004-20240226-uk
Errors
General
-
Target
Ransomware/7ev3n.exe
-
Size
315KB
-
MD5
9f8bc96c96d43ecb69f883388d228754
-
SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953
-
SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
-
SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 2996 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "124" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 1020 shutdown.exe Token: SeRemoteShutdownPrivilege 1020 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 1636 LogonUI.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4192 wrote to memory of 2996 4192 7ev3n.exe system.exe PID 4192 wrote to memory of 2996 4192 7ev3n.exe system.exe PID 4192 wrote to memory of 2996 4192 7ev3n.exe system.exe PID 2996 wrote to memory of 4516 2996 system.exe cmd.exe PID 2996 wrote to memory of 4516 2996 system.exe cmd.exe PID 2996 wrote to memory of 4516 2996 system.exe cmd.exe PID 2996 wrote to memory of 2212 2996 system.exe SCHTASKS.exe PID 2996 wrote to memory of 2212 2996 system.exe SCHTASKS.exe PID 2996 wrote to memory of 2212 2996 system.exe SCHTASKS.exe PID 2996 wrote to memory of 3288 2996 system.exe cmd.exe PID 2996 wrote to memory of 3288 2996 system.exe cmd.exe PID 2996 wrote to memory of 3288 2996 system.exe cmd.exe PID 2996 wrote to memory of 3308 2996 system.exe cmd.exe PID 2996 wrote to memory of 3308 2996 system.exe cmd.exe PID 2996 wrote to memory of 3308 2996 system.exe cmd.exe PID 2996 wrote to memory of 1148 2996 system.exe cmd.exe PID 2996 wrote to memory of 1148 2996 system.exe cmd.exe PID 2996 wrote to memory of 1148 2996 system.exe cmd.exe PID 2996 wrote to memory of 1868 2996 system.exe cmd.exe PID 2996 wrote to memory of 1868 2996 system.exe cmd.exe PID 2996 wrote to memory of 1868 2996 system.exe cmd.exe PID 2996 wrote to memory of 796 2996 system.exe cmd.exe PID 2996 wrote to memory of 796 2996 system.exe cmd.exe PID 2996 wrote to memory of 796 2996 system.exe cmd.exe PID 2996 wrote to memory of 3668 2996 system.exe cmd.exe PID 2996 wrote to memory of 3668 2996 system.exe cmd.exe PID 2996 wrote to memory of 3668 2996 system.exe cmd.exe PID 3308 wrote to memory of 1412 3308 cmd.exe reg.exe PID 3308 wrote to memory of 1412 3308 cmd.exe reg.exe PID 3308 wrote to memory of 1412 3308 cmd.exe reg.exe PID 1868 wrote to memory of 2244 1868 cmd.exe reg.exe PID 1868 wrote to memory of 2244 1868 cmd.exe reg.exe PID 1868 wrote to memory of 2244 1868 cmd.exe reg.exe PID 796 wrote to memory of 2020 796 cmd.exe reg.exe PID 796 wrote to memory of 2020 796 cmd.exe reg.exe PID 796 wrote to memory of 2020 796 cmd.exe reg.exe PID 1148 wrote to memory of 1748 1148 cmd.exe reg.exe PID 1148 wrote to memory of 1748 1148 cmd.exe reg.exe PID 1148 wrote to memory of 1748 1148 cmd.exe reg.exe PID 3288 wrote to memory of 880 3288 cmd.exe reg.exe PID 3288 wrote to memory of 880 3288 cmd.exe reg.exe PID 3288 wrote to memory of 880 3288 cmd.exe reg.exe PID 3668 wrote to memory of 3376 3668 cmd.exe reg.exe PID 3668 wrote to memory of 3376 3668 cmd.exe reg.exe PID 3668 wrote to memory of 3376 3668 cmd.exe reg.exe PID 2996 wrote to memory of 1928 2996 system.exe cmd.exe PID 2996 wrote to memory of 1928 2996 system.exe cmd.exe PID 2996 wrote to memory of 1928 2996 system.exe cmd.exe PID 1928 wrote to memory of 1492 1928 cmd.exe reg.exe PID 1928 wrote to memory of 1492 1928 cmd.exe reg.exe PID 1928 wrote to memory of 1492 1928 cmd.exe reg.exe PID 2996 wrote to memory of 4188 2996 system.exe cmd.exe PID 2996 wrote to memory of 4188 2996 system.exe cmd.exe PID 2996 wrote to memory of 4188 2996 system.exe cmd.exe PID 4188 wrote to memory of 1020 4188 cmd.exe shutdown.exe PID 4188 wrote to memory of 1020 4188 cmd.exe shutdown.exe PID 4188 wrote to memory of 1020 4188 cmd.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3940855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\del.batFilesize
76B
MD52623d4a3f9735b4a8298ad5050eb73ef
SHA13dcd1491a378acd63f725bd427ecb9810dc3cea2
SHA25601ddb9a534a1519c377c6951557207284a9a941870951797b2dfa5ed86a85709
SHA512aff6ca24a072b2219dafaa751a011cf41b5e8f638438e79d4e1852ff33ce7dbfa87e9e36b867866b2b8bd5ae30f0267d0ce2827caea21ec73a690ae9b4e329e8
-
C:\Users\Admin\AppData\Local\system.exeFilesize
315KB
MD568c8e18a1887eedc3da23719a34f6329
SHA1682a53bb3b8006219f0cfde25f7866db755c0a19
SHA256b3d38fd9bc60f5610c262392e8dcce0ad05b6a7ebc4e4b7232578ed80ff0270d
SHA5122733065fe4e2ee1749bfb78d5541cdb5204f291ceec4711da856e4e8f2d80eed51169c5434afbcc493434862787267f878de619847f03113c078a24d8f177c07