Overview
overview
10Static
static
3Ransomware.7ev3n.exe
windows7-x64
Ransomware.7ev3n.exe
windows10-2004-x64
Ransomware...it.exe
windows7-x64
10Ransomware...it.exe
windows10-2004-x64
10Ransomware...us.exe
windows7-x64
10Ransomware...us.exe
windows10-2004-x64
10Ransomware...er.exe
windows7-x64
10Ransomware...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
34s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-03-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
Ransomware.7ev3n.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Ransomware.7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Ransomware.BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Ransomware.BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Ransomware.CoronaVirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Ransomware.CoronaVirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Ransomware.CryptoLocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Ransomware.CryptoLocker.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
Ransomware.7ev3n.exe
-
Size
315KB
-
MD5
9f8bc96c96d43ecb69f883388d228754
-
SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953
-
SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
-
SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2688 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 3028 system.exe -
Loads dropped DLL 2 IoCs
Processes:
Ransomware.7ev3n.exepid process 1708 Ransomware.7ev3n.exe 1708 Ransomware.7ev3n.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 1424 shutdown.exe Token: SeRemoteShutdownPrivilege 1424 shutdown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Ransomware.7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1708 wrote to memory of 3028 1708 Ransomware.7ev3n.exe system.exe PID 1708 wrote to memory of 3028 1708 Ransomware.7ev3n.exe system.exe PID 1708 wrote to memory of 3028 1708 Ransomware.7ev3n.exe system.exe PID 1708 wrote to memory of 3028 1708 Ransomware.7ev3n.exe system.exe PID 3028 wrote to memory of 2688 3028 system.exe cmd.exe PID 3028 wrote to memory of 2688 3028 system.exe cmd.exe PID 3028 wrote to memory of 2688 3028 system.exe cmd.exe PID 3028 wrote to memory of 2688 3028 system.exe cmd.exe PID 3028 wrote to memory of 2552 3028 system.exe SCHTASKS.exe PID 3028 wrote to memory of 2552 3028 system.exe SCHTASKS.exe PID 3028 wrote to memory of 2552 3028 system.exe SCHTASKS.exe PID 3028 wrote to memory of 2552 3028 system.exe SCHTASKS.exe PID 3028 wrote to memory of 2056 3028 system.exe cmd.exe PID 3028 wrote to memory of 2056 3028 system.exe cmd.exe PID 3028 wrote to memory of 2056 3028 system.exe cmd.exe PID 3028 wrote to memory of 2056 3028 system.exe cmd.exe PID 3028 wrote to memory of 2592 3028 system.exe cmd.exe PID 3028 wrote to memory of 2592 3028 system.exe cmd.exe PID 3028 wrote to memory of 2592 3028 system.exe cmd.exe PID 3028 wrote to memory of 2592 3028 system.exe cmd.exe PID 3028 wrote to memory of 2560 3028 system.exe cmd.exe PID 3028 wrote to memory of 2560 3028 system.exe cmd.exe PID 3028 wrote to memory of 2560 3028 system.exe cmd.exe PID 3028 wrote to memory of 2560 3028 system.exe cmd.exe PID 3028 wrote to memory of 2432 3028 system.exe cmd.exe PID 3028 wrote to memory of 2432 3028 system.exe cmd.exe PID 3028 wrote to memory of 2432 3028 system.exe cmd.exe PID 3028 wrote to memory of 2432 3028 system.exe cmd.exe PID 3028 wrote to memory of 2636 3028 system.exe cmd.exe PID 3028 wrote to memory of 2636 3028 system.exe cmd.exe PID 3028 wrote to memory of 2636 3028 system.exe cmd.exe PID 3028 wrote to memory of 2636 3028 system.exe cmd.exe PID 3028 wrote to memory of 2788 3028 system.exe cmd.exe PID 3028 wrote to memory of 2788 3028 system.exe cmd.exe PID 3028 wrote to memory of 2788 3028 system.exe cmd.exe PID 3028 wrote to memory of 2788 3028 system.exe cmd.exe PID 2056 wrote to memory of 2400 2056 cmd.exe reg.exe PID 2056 wrote to memory of 2400 2056 cmd.exe reg.exe PID 2056 wrote to memory of 2400 2056 cmd.exe reg.exe PID 2056 wrote to memory of 2400 2056 cmd.exe reg.exe PID 2560 wrote to memory of 2936 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2936 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2936 2560 cmd.exe reg.exe PID 2560 wrote to memory of 2936 2560 cmd.exe reg.exe PID 2592 wrote to memory of 2920 2592 cmd.exe reg.exe PID 2592 wrote to memory of 2920 2592 cmd.exe reg.exe PID 2592 wrote to memory of 2920 2592 cmd.exe reg.exe PID 2592 wrote to memory of 2920 2592 cmd.exe reg.exe PID 2636 wrote to memory of 2116 2636 cmd.exe reg.exe PID 2636 wrote to memory of 2116 2636 cmd.exe reg.exe PID 2636 wrote to memory of 2116 2636 cmd.exe reg.exe PID 2636 wrote to memory of 2116 2636 cmd.exe reg.exe PID 2432 wrote to memory of 2296 2432 cmd.exe reg.exe PID 2432 wrote to memory of 2296 2432 cmd.exe reg.exe PID 2432 wrote to memory of 2296 2432 cmd.exe reg.exe PID 2432 wrote to memory of 2296 2432 cmd.exe reg.exe PID 2788 wrote to memory of 2924 2788 cmd.exe reg.exe PID 2788 wrote to memory of 2924 2788 cmd.exe reg.exe PID 2788 wrote to memory of 2924 2788 cmd.exe reg.exe PID 2788 wrote to memory of 2924 2788 cmd.exe reg.exe PID 3028 wrote to memory of 1988 3028 system.exe cmd.exe PID 3028 wrote to memory of 1988 3028 system.exe cmd.exe PID 3028 wrote to memory of 1988 3028 system.exe cmd.exe PID 3028 wrote to memory of 1988 3028 system.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransomware.7ev3n.exe"C:\Users\Admin\AppData\Local\Temp\Ransomware.7ev3n.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\del.bat3⤵
- Deletes itself
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\del.batFilesize
76B
MD5bd6cd262cc5cccb49b23151fd6ac9d83
SHA1cbb450016597875cd6616e62ec8f9a1acd4abb9a
SHA2567f35dc86053a85c2ffe7ef385ace63105cdff5fd1960be4169a72b66dcb9c2cb
SHA5126bfbb77e4050c65a74c97aefebd80bab1b61e9cad3332aa5dbe42ea8bd2c171012a9426e98e1b85e3f9ab0f48ef6501d44ef1b9318def2c994f4f26433b3ad09
-
\Users\Admin\AppData\Local\system.exeFilesize
315KB
MD5f87545bf1df9f85aafcbb67afbf1eac9
SHA187b80dd6ec22d63ce7674f1db2e4681e5a647ead
SHA256c5132f0d34cb40b0bd8d28ecb0e8abcd492d87dffc5a64c4d75421ab1d0c7a4c
SHA5127f27df0a7de41bc0a9ee5c711785a377847e8179a20785033b52311b74f9e37d7af237ee8d6d7f659c3c3ed990f30db4687e500f6f66d837b6ef991fc94ab83e
-
memory/696-142-0x00000000026B0000-0x00000000026B1000-memory.dmpFilesize
4KB
-
memory/956-141-0x00000000029C0000-0x00000000029C1000-memory.dmpFilesize
4KB