hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Analysis

max time kernel
45s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 03:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

7ev3n.exesystem.exe

pid process

1768 7ev3n.exe
316 system.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
1768	7ev3n.exe
316	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

57 raw.githubusercontent.com
58 raw.githubusercontent.com
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHTASKS.exe

pid process

4688 SCHTASKS.exe

flow	ioc
57	raw.githubusercontent.com
58	raw.githubusercontent.com

pid	process
4688	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587501988874555"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1340 chrome.exe
1340 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1340 chrome.exe
1340 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe
Token: SeShutdownPrivilege	1340	chrome.exe
Token: SeCreatePagefilePrivilege	1340	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

chrome.exe

pid	process
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe
1340	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

chrome.exeLogonUI.exe

pid process

1340 chrome.exe
1464 LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1340 wrote to memory of 4156	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 4156	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 3764	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 4740	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 4740	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 2228	1340	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8cfeab58,0x7ffd8cfeab68,0x7ffd8cfeab78
2⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:2
2⤵
PID:3764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:1
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2932 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:1
2⤵
PID:792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4768 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4988 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4632 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4928 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4584 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5088 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5132 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:4984

C:\Users\Admin\Downloads\7ev3n.exe
"C:\Users\Admin\Downloads\7ev3n.exe"
2⤵
- Executes dropped EXE
PID:1768

C:\Users\Admin\AppData\Local\system.exe
"C:\Users\Admin\AppData\Local\system.exe"
3⤵
- Executes dropped EXE
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
4⤵
PID:3728

C:\Windows\SysWOW64\SCHTASKS.exe
C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4688

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
5⤵
- Modifies WinLogon for persistence
PID:3176

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
4⤵
PID:916

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
5⤵
- Adds Run key to start application
PID:4620

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
4⤵
PID:60

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
5⤵
PID:3492

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
4⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
5⤵
PID:3896

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:2468

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
5⤵
PID:2324

C:\windows\SysWOW64\cmd.exe
C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
4⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
5⤵
- UAC bypass
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
4⤵
PID:3288

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
5⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
4⤵
PID:852

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 10 -f
5⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3244 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1532 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5664 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 --field-trial-handle=1916,i,2275014898920964511,7091804529003051342,131072 /prefetch:8
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3903855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
5f8842e1507858949c46252352d60622

SHA1
72eddf39a3f1935857972bfae249f10859db1a8c

SHA256
c6366b65b91236d5cfb91b8dd4e27bef1943e35f51869f47f7d2b2a61a390d5c

SHA512
90553773b2fb4fdb35635bdc29e366224e0648c604aa58d9105cd3844ed1e9747b354f44e342561f52d9386316948a5b6b0ddb78c58cb707529fd041bd5159a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
537d1366577a9dd25e6af06e8bbe4d17

SHA1
4f0bd4f2bee68966446c40ceedc06265f9f980ee

SHA256
6c8f19c3bc007d13f0049fd733e45cb30e1612eae278d898f858160ac780a9cf

SHA512
6db22950f89befe16480cc1fba46a0ff067a69a4a485c608d480014f04ce45630961c5ebdd6d5a5613019a6f4d75ff9e9244e5d9f4059bc947b49a623b26e7ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
621142ba4724f266382d4f846aaa206d

SHA1
984dc8e13e43ad6a35839034f3a6eeac6b2e353f

SHA256
e30093f8f87b1f9ce35f03b4b9c2eadc398b4213a4aea833d9474594d4459669

SHA512
3840a60a31093b9045fb1610caa223838e144bb7957392f31b273b485ac28a334b4082a5eb9c0e0b7714e3e5663dec897bf515ffaa5b1571d5d6e0c382202f0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
50fac8f14d0cba4e7640ca1675a0916e

SHA1
ed22eff475e31252619618b1bb442db06d947ded

SHA256
218ed20cfe7041b28bdcffb4da485be2b508b783db5866215d174e9f70966629

SHA512
c4b8884fba378dd20e326b93d94269c986e02c908b8389b8ad6abd9fb72f12dafdd559a9e3a28399d4b28793e823e2ae1e573fc588e60a9a559f568ae5c5e886

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
fa1d55362803757428e1727b596d70d3

SHA1
9d33ffd98662bcd2a090e76f8ad7c9682ab5ed63

SHA256
41ae1de2465adbdc269d5b24b1421bd29dfd668f34a75c2708d0a45e480b794b

SHA512
7e11d93bd337bb4e8f87010869b1529d921c8207b2a9c5192dfc546870544ad341edb9167d8628493fe07ea52a1ce048d9a22e895fda07100b4f2273f47a94e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6ee7a07fe93a778e501810c06030c7c0

SHA1
c0cdd283eb7de473a6768a54b1e089aa9f56748c

SHA256
fb2b38ffc082fd70fbecb61a1316bcba6afdd10770db7e18dc37eafa9c2c3bf2

SHA512
4f07a72481845ae36987770e9ddff73bb7e338ddef119f76616f704896d8cac9b2444b5b45067432d7efc19d7df972263baec257bbd8f678234297f94c680b25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
dde9ef29b32c31c4c803f15c2d7e2b2f

SHA1
f06eee071bb29b6ecd7f877e1578098669f66075

SHA256
83161e4a809122923cc98ceae13a39ddac62b8a19040ef1c8b3b310d40c3ff48

SHA512
31baf20781dcd73a765cc43bf44b442c7b70885b6b5264c93d9d9eef888b9e4f41060a376e90fe6cde88ce5a02f112b87c5612f373ca8778b1db0da3284b4e3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
6780140b3359143ea118086432f15409

SHA1
0f8bb84fcd3c57982c3c69ac5df96388262e6f74

SHA256
4aa8a712bec62091fc117aa064a099f3ce0ea827d849bb765b2195c731fc1b3c

SHA512
f23cf8e1c8a9ae948bdf376c7d766acfe3d2d860351c83dd62ced470dbd8df97f5ca53be484bd135360b94f1515e5ae5b2b4d8788fbc763a41bd7fef743f63ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
62c4a52366255353864959c7ee95325d

SHA1
affe4ccef5c57c3c69e0879634997937b601ade7

SHA256
e1f86cffef17da1c4ec79341539b53b1d9c1dc554fecb1646a131e262acbdba9

SHA512
c1140594dfaf6c085f094e835f538d6ed8e3edc0500b4d898dc5c6c73a8a91792c2d1a02b00ce1be8640b11304f38ae7011ea7312bdcbc1dcbb0842c0ff16381

Download Submit
C:\Users\Admin\AppData\Local\del.bat
Filesize
56B

MD5
f62904abb27a3574e2e6121349ab4955

SHA1
35b3504f1d6bc88638a0721cf3d898eb0f95092a

SHA256
d31225722321313554e736bcd9debc4cb4c5ed6dce3921fa7839162fede832b6

SHA512
e8d1cf4c6a745790b2eaf4b3618703337313e3f561ba88982bc1a139aa4b5b29fd5f78f925e5bd12669eed74ca78510f6d6b1ce091bc55299057d2b2e867fb4e

Download Submit
C:\Users\Admin\AppData\Local\system.exe
Filesize
315KB

MD5
b70d065d54bdac358dfde612f714c586

SHA1
5b2f884e95a339cd767a983c5051e80f4da49870

SHA256
221cac0548cd672a70b9e553b4c11596ed7e689bc2c9e82d1a2ba735854d74a6

SHA512
cf3a23dae30d256fe00ded31c6df002196b0bcc7d37f5a9a8507d1087b924f8dcbf4685da3480bc5490633c5cd0ea1cb239c8c31556315cdd01b5692407e9e4c

Download Submit
C:\Users\Admin\Downloads\7ev3n.exe
Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\Downloads\UIWIX.exe
Filesize
211KB

MD5
a933a1a402775cfa94b6bee0963f4b46

SHA1
18aa7b02f933c753989ba3d16698a5ee3a4d9420

SHA256
146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc

SHA512
d83da3c97ffd78c42f49b7bfb50525e7c964004b4b7d9cba839c0d8bf3a5fe0424be3b3782e33c57debc6b13b5420a3fa096643c8b7376b3accfb1bc4e7d7368

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe
Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
\??\pipe\crashpad_1340_HFLRKTOZZNCAVYOD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads