c09966a6b365f7c93e2bbb5a6c462691f10661329646c91434efbd31b2db99de

Reason

Machine shutdown

General

Target

Ransomware.7ev3n.exe
Size

315KB
MD5

9f8bc96c96d43ecb69f883388d228754
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
SSDEEP

6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2688 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

3028 system.exe
Loads dropped DLL 2 IoCs

Processes:

Ransomware.7ev3n.exe

pid process

1708 Ransomware.7ev3n.exe
1708 Ransomware.7ev3n.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
2688	cmd.exe

pid	process
3028	system.exe

pid	process
1708	Ransomware.7ev3n.exe
1708	Ransomware.7ev3n.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

2552 SCHTASKS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 1424 shutdown.exe
Token: SeRemoteShutdownPrivilege 1424 shutdown.exe

pid	process
2552	SCHTASKS.exe

description	pid	process
Token: SeShutdownPrivilege	1424	shutdown.exe
Token: SeRemoteShutdownPrivilege	1424	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ransomware.7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1708 wrote to memory of 3028	1708	Ransomware.7ev3n.exe	system.exe
PID 1708 wrote to memory of 3028	1708	Ransomware.7ev3n.exe	system.exe
PID 1708 wrote to memory of 3028	1708	Ransomware.7ev3n.exe	system.exe
PID 1708 wrote to memory of 3028	1708	Ransomware.7ev3n.exe	system.exe
PID 3028 wrote to memory of 2688	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2688	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2688	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2688	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2552	3028	system.exe	SCHTASKS.exe
PID 3028 wrote to memory of 2552	3028	system.exe	SCHTASKS.exe
PID 3028 wrote to memory of 2552	3028	system.exe	SCHTASKS.exe
PID 3028 wrote to memory of 2552	3028	system.exe	SCHTASKS.exe
PID 3028 wrote to memory of 2056	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2056	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2056	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2056	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2592	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2592	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2592	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2592	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2560	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2560	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2560	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2560	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2432	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2432	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2432	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2432	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2636	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2636	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2636	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2636	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2788	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2788	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2788	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 2788	3028	system.exe	cmd.exe
PID 2056 wrote to memory of 2400	2056	cmd.exe	reg.exe
PID 2056 wrote to memory of 2400	2056	cmd.exe	reg.exe
PID 2056 wrote to memory of 2400	2056	cmd.exe	reg.exe
PID 2056 wrote to memory of 2400	2056	cmd.exe	reg.exe
PID 2560 wrote to memory of 2936	2560	cmd.exe	reg.exe
PID 2560 wrote to memory of 2936	2560	cmd.exe	reg.exe
PID 2560 wrote to memory of 2936	2560	cmd.exe	reg.exe
PID 2560 wrote to memory of 2936	2560	cmd.exe	reg.exe
PID 2592 wrote to memory of 2920	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 2920	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 2920	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 2920	2592	cmd.exe	reg.exe
PID 2636 wrote to memory of 2116	2636	cmd.exe	reg.exe
PID 2636 wrote to memory of 2116	2636	cmd.exe	reg.exe
PID 2636 wrote to memory of 2116	2636	cmd.exe	reg.exe
PID 2636 wrote to memory of 2116	2636	cmd.exe	reg.exe
PID 2432 wrote to memory of 2296	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2296	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2296	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2296	2432	cmd.exe	reg.exe
PID 2788 wrote to memory of 2924	2788	cmd.exe	reg.exe
PID 2788 wrote to memory of 2924	2788	cmd.exe	reg.exe
PID 2788 wrote to memory of 2924	2788	cmd.exe	reg.exe
PID 2788 wrote to memory of 2924	2788	cmd.exe	reg.exe
PID 3028 wrote to memory of 1988	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 1988	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 1988	3028	system.exe	cmd.exe
PID 3028 wrote to memory of 1988	3028	system.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware.7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.7ev3n.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\system.exe
"C:\Users\Admin\AppData\Local\system.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\del.bat
3⤵
- Deletes itself
PID:2688

C:\Windows\SysWOW64\SCHTASKS.exe
C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2552

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Modifies WinLogon for persistence
PID:2400

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:2920

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
4⤵
PID:2936

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
4⤵
PID:2296

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:2116

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
4⤵
- UAC bypass
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
3⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
3⤵
PID:1084

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 10 -f
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:956

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Modify Registry

3

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\del.bat
Filesize
76B

MD5
bd6cd262cc5cccb49b23151fd6ac9d83

SHA1
cbb450016597875cd6616e62ec8f9a1acd4abb9a

SHA256
7f35dc86053a85c2ffe7ef385ace63105cdff5fd1960be4169a72b66dcb9c2cb

SHA512
6bfbb77e4050c65a74c97aefebd80bab1b61e9cad3332aa5dbe42ea8bd2c171012a9426e98e1b85e3f9ab0f48ef6501d44ef1b9318def2c994f4f26433b3ad09

Download Submit
\Users\Admin\AppData\Local\system.exe
Filesize
315KB

MD5
f87545bf1df9f85aafcbb67afbf1eac9

SHA1
87b80dd6ec22d63ce7674f1db2e4681e5a647ead

SHA256
c5132f0d34cb40b0bd8d28ecb0e8abcd492d87dffc5a64c4d75421ab1d0c7a4c

SHA512
7f27df0a7de41bc0a9ee5c711785a377847e8179a20785033b52311b74f9e37d7af237ee8d6d7f659c3c3ed990f30db4687e500f6f66d837b6ef991fc94ab83e

Download Submit
memory/696-142-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/956-141-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads