Overview
overview
10Static
static
77ev3n.exe
windows7-x64
7ev3n.exe
windows10-2004-x64
Annabelle.exe
windows7-x64
Annabelle.exe
windows10-2004-x64
BadRabbit.exe
windows7-x64
BadRabbit.exe
windows10-2004-x64
Birele.exe
windows10-2004-x64
10Cerber 5.exe
windows7-x64
10Cerber 5.exe
windows10-2004-x64
10Darkside.exe
windows7-x64
10Darkside.exe
windows10-2004-x64
10DeriaLock.exe
windows7-x64
7DeriaLock.exe
windows10-2004-x64
7Analysis
-
max time kernel
27s -
max time network
28s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 21:34
Behavioral task
behavioral1
Sample
7ev3n.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Annabelle.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
BadRabbit.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
Birele.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Cerber 5.exe
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
Cerber 5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
Darkside.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
Darkside.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
DeriaLock.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
DeriaLock.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
7ev3n.exe
-
Size
315KB
-
MD5
9f8bc96c96d43ecb69f883388d228754
-
SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953
-
SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
-
SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes itself 1 IoCs
pid Process 2596 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1964 system.exe -
Loads dropped DLL 2 IoCs
pid Process 2328 7ev3n.exe 2328 7ev3n.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2712 SCHTASKS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 680 shutdown.exe Token: SeRemoteShutdownPrivilege 680 shutdown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 1964 2328 7ev3n.exe 28 PID 2328 wrote to memory of 1964 2328 7ev3n.exe 28 PID 2328 wrote to memory of 1964 2328 7ev3n.exe 28 PID 2328 wrote to memory of 1964 2328 7ev3n.exe 28 PID 1964 wrote to memory of 2596 1964 system.exe 29 PID 1964 wrote to memory of 2596 1964 system.exe 29 PID 1964 wrote to memory of 2596 1964 system.exe 29 PID 1964 wrote to memory of 2596 1964 system.exe 29 PID 1964 wrote to memory of 2712 1964 system.exe 31 PID 1964 wrote to memory of 2712 1964 system.exe 31 PID 1964 wrote to memory of 2712 1964 system.exe 31 PID 1964 wrote to memory of 2712 1964 system.exe 31 PID 1964 wrote to memory of 2928 1964 system.exe 33 PID 1964 wrote to memory of 2928 1964 system.exe 33 PID 1964 wrote to memory of 2928 1964 system.exe 33 PID 1964 wrote to memory of 2928 1964 system.exe 33 PID 1964 wrote to memory of 2592 1964 system.exe 34 PID 1964 wrote to memory of 2592 1964 system.exe 34 PID 1964 wrote to memory of 2592 1964 system.exe 34 PID 1964 wrote to memory of 2592 1964 system.exe 34 PID 1964 wrote to memory of 2156 1964 system.exe 36 PID 1964 wrote to memory of 2156 1964 system.exe 36 PID 1964 wrote to memory of 2156 1964 system.exe 36 PID 1964 wrote to memory of 2156 1964 system.exe 36 PID 1964 wrote to memory of 2752 1964 system.exe 38 PID 1964 wrote to memory of 2752 1964 system.exe 38 PID 1964 wrote to memory of 2752 1964 system.exe 38 PID 1964 wrote to memory of 2752 1964 system.exe 38 PID 1964 wrote to memory of 2708 1964 system.exe 40 PID 1964 wrote to memory of 2708 1964 system.exe 40 PID 1964 wrote to memory of 2708 1964 system.exe 40 PID 1964 wrote to memory of 2708 1964 system.exe 40 PID 1964 wrote to memory of 2632 1964 system.exe 41 PID 1964 wrote to memory of 2632 1964 system.exe 41 PID 1964 wrote to memory of 2632 1964 system.exe 41 PID 1964 wrote to memory of 2632 1964 system.exe 41 PID 2592 wrote to memory of 2528 2592 cmd.exe 45 PID 2592 wrote to memory of 2528 2592 cmd.exe 45 PID 2592 wrote to memory of 2528 2592 cmd.exe 45 PID 2592 wrote to memory of 2528 2592 cmd.exe 45 PID 2928 wrote to memory of 1316 2928 cmd.exe 46 PID 2928 wrote to memory of 1316 2928 cmd.exe 46 PID 2928 wrote to memory of 1316 2928 cmd.exe 46 PID 2928 wrote to memory of 1316 2928 cmd.exe 46 PID 2156 wrote to memory of 2072 2156 cmd.exe 47 PID 2156 wrote to memory of 2072 2156 cmd.exe 47 PID 2156 wrote to memory of 2072 2156 cmd.exe 47 PID 2156 wrote to memory of 2072 2156 cmd.exe 47 PID 2752 wrote to memory of 2516 2752 cmd.exe 48 PID 2752 wrote to memory of 2516 2752 cmd.exe 48 PID 2752 wrote to memory of 2516 2752 cmd.exe 48 PID 2752 wrote to memory of 2516 2752 cmd.exe 48 PID 2632 wrote to memory of 2272 2632 cmd.exe 49 PID 2632 wrote to memory of 2272 2632 cmd.exe 49 PID 2632 wrote to memory of 2272 2632 cmd.exe 49 PID 2632 wrote to memory of 2272 2632 cmd.exe 49 PID 2708 wrote to memory of 2060 2708 cmd.exe 50 PID 2708 wrote to memory of 2060 2708 cmd.exe 50 PID 2708 wrote to memory of 2060 2708 cmd.exe 50 PID 2708 wrote to memory of 2060 2708 cmd.exe 50 PID 1964 wrote to memory of 1260 1964 system.exe 53 PID 1964 wrote to memory of 1260 1964 system.exe 53 PID 1964 wrote to memory of 1260 1964 system.exe 53 PID 1964 wrote to memory of 1260 1964 system.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ev3n.exe"C:\Users\Admin\AppData\Local\Temp\7ev3n.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\del.bat3⤵
- Deletes itself
PID:2596
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2712
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:1316
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:2528
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:2072
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:2516
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:2060
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵PID:1260
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:2200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵PID:1820
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1860
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2112
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5f727ee128a7eeb23b9c3242b049e61ef
SHA1a260ee1e7c05377830130163737c7609598d61ee
SHA25698bfdb556f8e8a2564cadfd0c62fff7b81b3a70a4f7e03a86f704fabd5d3c884
SHA512c59a537dbd2349d0f29b6596d35c387fbb76a2cde16fddee04c3d861221c2a7a9ef1af67577a63a80523ec4fc079cc64090e3e86544730bf9cdac2ca122a9c0e
-
Filesize
315KB
MD5960210c40a73291e4349cb16c26afc66
SHA1e90335ab561ca12801b22e15446c84f90ab53588
SHA256fef8a83f4105221a01de09749072671b2c6c944a5d52c15d0852cc9a4b6c4890
SHA51244a42cc7a5baab876e3a7fce4d9d05839de666577306985d8d5920f38f0150ce335c351eaa4d8f834b43abfcb26eb3aa06fbb467dc56695eacd35ad11d8a259a