Overview

overview

6

Static

static

3

LethalComp...config

windows10-2004-x64

3

Seven.deps.json

windows10-2004-x64

3

Seven.exe

windows10-2004-x64

1

Seven.exe

windows10-2004-x64

6

Seven.runt...g.json

windows10-2004-x64

3

Analysis

  • max time kernel
    179s
  • max time network
    302s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2024, 20:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Seven.exe

  • Size

    139KB

  • MD5

    350273e0d2e8a9ba5e37b791016112a0

  • SHA1

    5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

  • SHA256

    27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

  • SHA512

    b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

  • SSDEEP

    3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score
6/10

Malware Config

Signatures

  • Drops desktop.ini file(s) 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Seven.exe
    "C:\Users\Admin\AppData\Local\Temp\Seven.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ExecutionPolicy Bypass -Command "Copy-Item -Path '' -Destination '$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:408
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EncryptedLog.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2284

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5thsss2.cx4.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\Desktop\EncryptedLog.txt
          Filesize

          53B

          MD5

          2b1f0e9586943a4fe013cb8d981b2583

          SHA1

          ff95671af9e0e8c3ba096d2a059cc7214d690eb7

          SHA256

          605b748b8977d4b89026996f8182fb999a321a796c93f0f52000a677a5163a4b

          SHA512

          346f4c70fd2a77e36a437fa20a47642ddfc36fe4d25cba01b86d048c81aced546dff3387f0a696e10eaba23ace65bba7b632ed2c5e4860bc9b7cb5657b63ce80

          Download Submit

        • memory/408-47-0x000001ECDDD50000-0x000001ECDDD72000-memory.dmp

          Filesize

          136KB

          Download

        • memory/408-48-0x00007FF8B5C60000-0x00007FF8B6721000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/408-50-0x000001ECDDDB0000-0x000001ECDDDC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/408-49-0x000001ECDDDB0000-0x000001ECDDDC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/408-53-0x00007FF8B5C60000-0x00007FF8B6721000-memory.dmp

          Filesize

          10.8MB

          Download