Overview

overview

10

Static

static

3

Seven.exe

windows10-2004-x64

1

Seven.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    364s
  • max time network
    275s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/04/2024, 06:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Seven.exe

  • Size

    144KB

  • MD5

    45d3f2bbb5b36bd3f1b7e5b751b8ff7f

  • SHA1

    1506520299378908e2e9b31e771ec77b9de125c5

  • SHA256

    04f732bb1c4dae8f8033e2acdd026f6ca291cce30d89829eef17bef6f9315693

  • SHA512

    2d55c5f0da5d70321c5e2834335e3c2e1d76cb3a44fde74f724bcd7c467660c727ed36f022fa004b7c4360983b72bfed01d9e15fdb1b61c71ab489ef2fa7e708

  • SSDEEP

    3072:6iS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lt+:6iS4ompB9S3BZi0a1G78IVhcTct

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 7 IoCs
  • Drops file in System32 directory 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Seven.exe
    "C:\Users\Admin\AppData\Local\Temp\Seven.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security modification
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1656
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
      2⤵
        PID:1928
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\SevenCopy.exe
        2⤵
        • Drops file in System32 directory
        PID:4676
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
        2⤵
        • Drops file in System32 directory
        PID:2852
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
        2⤵
        • Drops file in System32 directory
        PID:1288
      • C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
        "C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"
        2⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        PID:1272
    • C:\Windows\System32\SevenCopy.exe
      C:\Windows\System32\SevenCopy.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1356
    • C:\Windows\System32\SevenCopy.exe
      C:\Windows\System32\SevenCopy.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:4332
    • C:\Windows\System32\SevenCopy.exe
      C:\Windows\System32\SevenCopy.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1692
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1140
      • C:\Windows\System32\SevenCopy.exe
        C:\Windows\System32\SevenCopy.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:1920
      • C:\Windows\System32\SevenCopy.exe
        C:\Windows\System32\SevenCopy.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:1468
      • C:\Windows\System32\SevenCopy.exe
        C:\Windows\System32\SevenCopy.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:1924

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
              Filesize

              144KB

              MD5

              45d3f2bbb5b36bd3f1b7e5b751b8ff7f

              SHA1

              1506520299378908e2e9b31e771ec77b9de125c5

              SHA256

              04f732bb1c4dae8f8033e2acdd026f6ca291cce30d89829eef17bef6f9315693

              SHA512

              2d55c5f0da5d70321c5e2834335e3c2e1d76cb3a44fde74f724bcd7c467660c727ed36f022fa004b7c4360983b72bfed01d9e15fdb1b61c71ab489ef2fa7e708

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kj4ytx1w.xwu.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Windows\System32\Seven.dll
              Filesize

              1.0MB

              MD5

              d832a61f074dea6e3363481b1acb8d34

              SHA1

              5bc6f44ff2b8dae2651ed84dd79f37004005ace1

              SHA256

              9afb53e55c30374f958ed690963062f39537ff9838f220dde36c72340111d90d

              SHA512

              472cb69bd0f08d32dd7055794ad2d6f3804cca662bb7b4036e3dfad37168bce8b49ca66fd9bbf539e592e6ea1d885586849aa1ba89de195be1661534a39ac5a2

              Download Submit

            • C:\Windows\System32\Seven.runtimeconfig.json
              Filesize

              340B

              MD5

              253333997e82f7d44ea8072dfae6db39

              SHA1

              03b9744e89327431a619505a7c72fd497783d884

              SHA256

              28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

              SHA512

              56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

              Download Submit

            • memory/1656-0-0x0000020748810000-0x0000020748832000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1656-12-0x0000020748850000-0x0000020748860000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1656-11-0x0000020748850000-0x0000020748860000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1656-10-0x00007FFBF3100000-0x00007FFBF3BC1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1656-14-0x00007FFBF3100000-0x00007FFBF3BC1000-memory.dmp

              Filesize

              10.8MB

              Download