Analysis
-
max time kernel
66s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 01:08
Behavioral task
behavioral1
Sample
7ev3n.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7ev3n.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Annabelle.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Annabelle.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
BadRabbit.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
BadRabbit.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Birele.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
7ev3n.exe
-
Size
315KB
-
MD5
9f8bc96c96d43ecb69f883388d228754
-
SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953
-
SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
-
SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
SSDEEP
6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
pid Process 4412 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3880 SCHTASKS.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 4436 shutdown.exe Token: SeRemoteShutdownPrivilege 4436 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1136 LogonUI.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1964 wrote to memory of 4412 1964 7ev3n.exe 100 PID 1964 wrote to memory of 4412 1964 7ev3n.exe 100 PID 1964 wrote to memory of 4412 1964 7ev3n.exe 100 PID 4412 wrote to memory of 3948 4412 system.exe 101 PID 4412 wrote to memory of 3948 4412 system.exe 101 PID 4412 wrote to memory of 3948 4412 system.exe 101 PID 4412 wrote to memory of 3880 4412 system.exe 102 PID 4412 wrote to memory of 3880 4412 system.exe 102 PID 4412 wrote to memory of 3880 4412 system.exe 102 PID 4412 wrote to memory of 4132 4412 system.exe 105 PID 4412 wrote to memory of 4132 4412 system.exe 105 PID 4412 wrote to memory of 4132 4412 system.exe 105 PID 4412 wrote to memory of 3776 4412 system.exe 106 PID 4412 wrote to memory of 3776 4412 system.exe 106 PID 4412 wrote to memory of 3776 4412 system.exe 106 PID 4412 wrote to memory of 5020 4412 system.exe 107 PID 4412 wrote to memory of 5020 4412 system.exe 107 PID 4412 wrote to memory of 5020 4412 system.exe 107 PID 4412 wrote to memory of 4292 4412 system.exe 108 PID 4412 wrote to memory of 4292 4412 system.exe 108 PID 4412 wrote to memory of 4292 4412 system.exe 108 PID 4412 wrote to memory of 368 4412 system.exe 109 PID 4412 wrote to memory of 368 4412 system.exe 109 PID 4412 wrote to memory of 368 4412 system.exe 109 PID 4412 wrote to memory of 4328 4412 system.exe 110 PID 4412 wrote to memory of 4328 4412 system.exe 110 PID 4412 wrote to memory of 4328 4412 system.exe 110 PID 4132 wrote to memory of 2480 4132 cmd.exe 117 PID 4132 wrote to memory of 2480 4132 cmd.exe 117 PID 4132 wrote to memory of 2480 4132 cmd.exe 117 PID 4292 wrote to memory of 2980 4292 cmd.exe 118 PID 4292 wrote to memory of 2980 4292 cmd.exe 118 PID 4292 wrote to memory of 2980 4292 cmd.exe 118 PID 3776 wrote to memory of 452 3776 cmd.exe 120 PID 3776 wrote to memory of 452 3776 cmd.exe 120 PID 3776 wrote to memory of 452 3776 cmd.exe 120 PID 368 wrote to memory of 3124 368 cmd.exe 121 PID 368 wrote to memory of 3124 368 cmd.exe 121 PID 368 wrote to memory of 3124 368 cmd.exe 121 PID 4328 wrote to memory of 4996 4328 cmd.exe 122 PID 4328 wrote to memory of 4996 4328 cmd.exe 122 PID 4328 wrote to memory of 4996 4328 cmd.exe 122 PID 4412 wrote to memory of 1728 4412 system.exe 127 PID 4412 wrote to memory of 1728 4412 system.exe 127 PID 4412 wrote to memory of 1728 4412 system.exe 127 PID 1728 wrote to memory of 2928 1728 cmd.exe 129 PID 1728 wrote to memory of 2928 1728 cmd.exe 129 PID 1728 wrote to memory of 2928 1728 cmd.exe 129 PID 4412 wrote to memory of 212 4412 system.exe 131 PID 4412 wrote to memory of 212 4412 system.exe 131 PID 4412 wrote to memory of 212 4412 system.exe 131 PID 212 wrote to memory of 4436 212 cmd.exe 133 PID 212 wrote to memory of 4436 212 cmd.exe 133 PID 212 wrote to memory of 4436 212 cmd.exe 133
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ev3n.exe"C:\Users\Admin\AppData\Local\Temp\7ev3n.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵PID:3948
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3880
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:2480
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:452
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵PID:5020
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:1504
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:2980
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:3124
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:4996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:3228
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b6855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1136
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65B
MD5f727ee128a7eeb23b9c3242b049e61ef
SHA1a260ee1e7c05377830130163737c7609598d61ee
SHA25698bfdb556f8e8a2564cadfd0c62fff7b81b3a70a4f7e03a86f704fabd5d3c884
SHA512c59a537dbd2349d0f29b6596d35c387fbb76a2cde16fddee04c3d861221c2a7a9ef1af67577a63a80523ec4fc079cc64090e3e86544730bf9cdac2ca122a9c0e
-
Filesize
315KB
MD57ee101b66aa78da4faf50fa802db2494
SHA1839d7d818802db949ec3e6dd1b79d7f6066e6c61
SHA256ea8d762f5a481d6c62f9cf31da7b1d9a97bdc70911f76db395abc2aa008c8167
SHA512f623e399dc07dc03818206663550b313a72d06ba7059b7a64b06add7661851d1c17edda9e36c8314b6a499530a296ac044efa07d38834edab0d5c2f7a1820963