022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523

Analysis

max time kernel
72s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240226-uk
resource tags

arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
03-03-2024 13:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Ransomware/7ev3n.exe
Size

315KB
MD5

9f8bc96c96d43ecb69f883388d228754
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
SSDEEP

6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

2996 system.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
2996	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

2212 SCHTASKS.exe

pid	process
2212	SCHTASKS.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "124"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 1020 shutdown.exe
Token: SeRemoteShutdownPrivilege 1020 shutdown.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1636 LogonUI.exe

description	pid	process
Token: SeShutdownPrivilege	1020	shutdown.exe
Token: SeRemoteShutdownPrivilege	1020	shutdown.exe

pid	process
1636	LogonUI.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4192 wrote to memory of 2996	4192	7ev3n.exe	system.exe
PID 4192 wrote to memory of 2996	4192	7ev3n.exe	system.exe
PID 4192 wrote to memory of 2996	4192	7ev3n.exe	system.exe
PID 2996 wrote to memory of 4516	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 4516	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 4516	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 2212	2996	system.exe	SCHTASKS.exe
PID 2996 wrote to memory of 2212	2996	system.exe	SCHTASKS.exe
PID 2996 wrote to memory of 2212	2996	system.exe	SCHTASKS.exe
PID 2996 wrote to memory of 3288	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 3288	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 3288	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 3308	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 3308	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 3308	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 1148	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 1148	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 1148	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 1868	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 1868	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 1868	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 796	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 796	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 796	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 3668	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 3668	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 3668	2996	system.exe	cmd.exe
PID 3308 wrote to memory of 1412	3308	cmd.exe	reg.exe
PID 3308 wrote to memory of 1412	3308	cmd.exe	reg.exe
PID 3308 wrote to memory of 1412	3308	cmd.exe	reg.exe
PID 1868 wrote to memory of 2244	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2244	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 2244	1868	cmd.exe	reg.exe
PID 796 wrote to memory of 2020	796	cmd.exe	reg.exe
PID 796 wrote to memory of 2020	796	cmd.exe	reg.exe
PID 796 wrote to memory of 2020	796	cmd.exe	reg.exe
PID 1148 wrote to memory of 1748	1148	cmd.exe	reg.exe
PID 1148 wrote to memory of 1748	1148	cmd.exe	reg.exe
PID 1148 wrote to memory of 1748	1148	cmd.exe	reg.exe
PID 3288 wrote to memory of 880	3288	cmd.exe	reg.exe
PID 3288 wrote to memory of 880	3288	cmd.exe	reg.exe
PID 3288 wrote to memory of 880	3288	cmd.exe	reg.exe
PID 3668 wrote to memory of 3376	3668	cmd.exe	reg.exe
PID 3668 wrote to memory of 3376	3668	cmd.exe	reg.exe
PID 3668 wrote to memory of 3376	3668	cmd.exe	reg.exe
PID 2996 wrote to memory of 1928	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 1928	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 1928	2996	system.exe	cmd.exe
PID 1928 wrote to memory of 1492	1928	cmd.exe	reg.exe
PID 1928 wrote to memory of 1492	1928	cmd.exe	reg.exe
PID 1928 wrote to memory of 1492	1928	cmd.exe	reg.exe
PID 2996 wrote to memory of 4188	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 4188	2996	system.exe	cmd.exe
PID 2996 wrote to memory of 4188	2996	system.exe	cmd.exe
PID 4188 wrote to memory of 1020	4188	cmd.exe	shutdown.exe
PID 4188 wrote to memory of 1020	4188	cmd.exe	shutdown.exe
PID 4188 wrote to memory of 1020	4188	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\7ev3n.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\system.exe
"C:\Users\Admin\AppData\Local\system.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
3⤵
PID:4516

C:\Windows\SysWOW64\SCHTASKS.exe
C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2212

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Modifies WinLogon for persistence
PID:880

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:1412

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
4⤵
PID:1748

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
4⤵
PID:2244

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:2020

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
4⤵
- UAC bypass
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
3⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 10 -f
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3940855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\del.bat
Filesize
76B

MD5
2623d4a3f9735b4a8298ad5050eb73ef

SHA1
3dcd1491a378acd63f725bd427ecb9810dc3cea2

SHA256
01ddb9a534a1519c377c6951557207284a9a941870951797b2dfa5ed86a85709

SHA512
aff6ca24a072b2219dafaa751a011cf41b5e8f638438e79d4e1852ff33ce7dbfa87e9e36b867866b2b8bd5ae30f0267d0ce2827caea21ec73a690ae9b4e329e8

Download Submit
C:\Users\Admin\AppData\Local\system.exe
Filesize
315KB

MD5
68c8e18a1887eedc3da23719a34f6329

SHA1
682a53bb3b8006219f0cfde25f7866db755c0a19

SHA256
b3d38fd9bc60f5610c262392e8dcce0ad05b6a7ebc4e4b7232578ed80ff0270d

SHA512
2733065fe4e2ee1749bfb78d5541cdb5204f291ceec4711da856e4e8f2d80eed51169c5434afbcc493434862787267f878de619847f03113c078a24d8f177c07

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads