78066bf07df6db74e6733f7c1250e325c32f1e57a58a91fce60fde748d8321c2

General

Target

Seven.exe
Size

139KB
MD5

6503f847c3281ff85b304fc674b62580
SHA1

947536e0741c085f37557b7328b067ef97cb1a61
SHA256

afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
SHA512

abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Seven.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Blocks application from running via registry modification 1 IoCs
Adds application to list of disallowed applications.
evasion

Processes:

Seven.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Seven.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation Seven.exe
Executes dropped EXE 3 IoCs

Processes:

SevenCopy.exeSevenCopy.exeSevenCopy.exe

pid process

4804 SevenCopy.exe
4148 SevenCopy.exe
2296 SevenCopy.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Seven.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" Seven.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	Seven.exe

pid	process
4804	SevenCopy.exe
4148	SevenCopy.exe
2296	SevenCopy.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Seven.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Drops file in System32 directory 9 IoCs

Processes:

cmd.execmd.exeattrib.exeattrib.execmd.exeattrib.exe

description	ioc	process
File created	C:\Windows\System32\Seven.dll	cmd.exe
File opened for modification	C:\Windows\System32\SevenCopy.exe	cmd.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	attrib.exe
File opened for modification	C:\Windows\System32\Seven.dll	attrib.exe
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File opened for modification	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\System32\SevenCopy.exe	cmd.exe
File opened for modification	C:\Windows\System32\SevenCopy.exe	attrib.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4248 powershell.exe
4248 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4248 powershell.exe

pid	process
4248	powershell.exe
4248	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4248	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Seven.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1004 wrote to memory of 4248	1004	Seven.exe	powershell.exe
PID 1004 wrote to memory of 4248	1004	Seven.exe	powershell.exe
PID 1004 wrote to memory of 2576	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 2576	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 1044	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 1044	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 4584	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 4584	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 4600	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 4600	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 4384	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 4384	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 2328	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 2328	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 2004	1004	Seven.exe	cmd.exe
PID 1004 wrote to memory of 2004	1004	Seven.exe	cmd.exe
PID 2004 wrote to memory of 4032	2004	cmd.exe	attrib.exe
PID 2004 wrote to memory of 4032	2004	cmd.exe	attrib.exe
PID 4584 wrote to memory of 4156	4584	cmd.exe	attrib.exe
PID 4584 wrote to memory of 4156	4584	cmd.exe	attrib.exe
PID 2328 wrote to memory of 3740	2328	cmd.exe	attrib.exe
PID 2328 wrote to memory of 3740	2328	cmd.exe	attrib.exe
PID 1004 wrote to memory of 4804	1004	Seven.exe	SevenCopy.exe
PID 1004 wrote to memory of 4804	1004	Seven.exe	SevenCopy.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4032 attrib.exe
4156 attrib.exe
3740 attrib.exe

pid	process
4032	attrib.exe
4156	attrib.exe
3740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
2⤵
PID:2576

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\SevenCopy.exe
2⤵
- Drops file in System32 directory
PID:1044

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C attrib +h C:\Windows\System32\SevenCopy.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\system32\attrib.exe
attrib +h C:\Windows\System32\SevenCopy.exe
3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:4156

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
2⤵
- Drops file in System32 directory
PID:4600

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
2⤵
- Drops file in System32 directory
PID:4384

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\attrib.exe
attrib +h C:\Windows\System32\Seven.dll
3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:3740

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\attrib.exe
attrib +h C:\Windows\System32\Seven.runtimeconfig.json
3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:4032

C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
"C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"
2⤵
- Executes dropped EXE
PID:4804

C:\Windows\System32\SevenCopy.exe
C:\Windows\System32\SevenCopy.exe
1⤵
- Executes dropped EXE
PID:4148

C:\Windows\System32\SevenCopy.exe
C:\Windows\System32\SevenCopy.exe
1⤵
- Executes dropped EXE
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Modify Registry

4

T1112

Impair Defenses

3

T1562

Disable or Modify Tools

3

T1562.001

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlhd31ln.5ze.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Seven.dll
Filesize
1.0MB

MD5
c2748d8495062431daf246e7cf490f7f

SHA1
c28716d29cba15baea893b5747f9023dd13b3b31

SHA256
4a7092478050ad8385fd7e086ed7906eebc92e568178a663949317cd72c520d0

SHA512
2a73492c0632f091504d56bc330e6bddd6ef4fdffbdfc1c185ac71fd49d7fe20f7c61f9cf70fc410dce16259152595b9e1aa81a6d38d8ef592a818f30e2fd33d

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json
Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\Windows\System32\SevenCopy.exe
Filesize
139KB

MD5
6503f847c3281ff85b304fc674b62580

SHA1
947536e0741c085f37557b7328b067ef97cb1a61

SHA256
afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f

SHA512
abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174

Download Submit
memory/4248-0-0x0000015BF02C0000-0x0000015BF02E2000-memory.dmp

Filesize
136KB

Download
memory/4248-12-0x0000015BF02F0000-0x0000015BF0300000-memory.dmp

Filesize
64KB

Download
memory/4248-11-0x0000015BF02F0000-0x0000015BF0300000-memory.dmp

Filesize
64KB

Download
memory/4248-10-0x00007FFC80640000-0x00007FFC81101000-memory.dmp

Filesize
10.8MB

Download
memory/4248-13-0x0000015BF02F0000-0x0000015BF0300000-memory.dmp

Filesize
64KB

Download
memory/4248-16-0x00007FFC80640000-0x00007FFC81101000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads