Analysis
-
max time kernel
120s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 07:51
Static task
static1
Behavioral task
behavioral1
Sample
Seven.exe
Resource
win10v2004-20240419-en
General
-
Target
Seven.exe
-
Size
139KB
-
MD5
6503f847c3281ff85b304fc674b62580
-
SHA1
947536e0741c085f37557b7328b067ef97cb1a61
-
SHA256
afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
-
SHA512
abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
-
SSDEEP
3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct
Malware Config
Signatures
-
Processes:
Seven.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Seven.exe -
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1" Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1" Seven.exe -
Blocks application from running via registry modification 1 IoCs
Adds application to list of disallowed applications.
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Seven.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Seven.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Seven.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Seven.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation Seven.exe -
Executes dropped EXE 3 IoCs
Processes:
SevenCopy.exeSevenCopy.exeSevenCopy.exepid process 4804 SevenCopy.exe 4148 SevenCopy.exe 2296 SevenCopy.exe -
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" Seven.exe -
Processes:
Seven.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1" Seven.exe -
Drops file in System32 directory 9 IoCs
Processes:
cmd.execmd.exeattrib.exeattrib.execmd.exeattrib.exedescription ioc process File created C:\Windows\System32\Seven.dll cmd.exe File opened for modification C:\Windows\System32\SevenCopy.exe cmd.exe File opened for modification C:\Windows\System32\Seven.runtimeconfig.json attrib.exe File opened for modification C:\Windows\System32\Seven.dll attrib.exe File created C:\Windows\System32\Seven.runtimeconfig.json cmd.exe File opened for modification C:\Windows\System32\Seven.runtimeconfig.json cmd.exe File opened for modification C:\Windows\System32\Seven.dll cmd.exe File created C:\Windows\System32\SevenCopy.exe cmd.exe File opened for modification C:\Windows\System32\SevenCopy.exe attrib.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4248 powershell.exe 4248 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4248 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Seven.execmd.execmd.execmd.exedescription pid process target process PID 1004 wrote to memory of 4248 1004 Seven.exe powershell.exe PID 1004 wrote to memory of 4248 1004 Seven.exe powershell.exe PID 1004 wrote to memory of 2576 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 2576 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 1044 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 1044 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 4584 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 4584 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 4600 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 4600 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 4384 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 4384 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 2328 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 2328 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 2004 1004 Seven.exe cmd.exe PID 1004 wrote to memory of 2004 1004 Seven.exe cmd.exe PID 2004 wrote to memory of 4032 2004 cmd.exe attrib.exe PID 2004 wrote to memory of 4032 2004 cmd.exe attrib.exe PID 4584 wrote to memory of 4156 4584 cmd.exe attrib.exe PID 4584 wrote to memory of 4156 4584 cmd.exe attrib.exe PID 2328 wrote to memory of 3740 2328 cmd.exe attrib.exe PID 2328 wrote to memory of 3740 2328 cmd.exe attrib.exe PID 1004 wrote to memory of 4804 1004 Seven.exe SevenCopy.exe PID 1004 wrote to memory of 4804 1004 Seven.exe SevenCopy.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1" Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1" Seven.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4032 attrib.exe 4156 attrib.exe 3740 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Seven.exe"C:\Users\Admin\AppData\Local\Temp\Seven.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe2⤵PID:2576
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\SevenCopy.exe2⤵
- Drops file in System32 directory
PID:1044 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\SevenCopy.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\SevenCopy.exe3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:4156 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll2⤵
- Drops file in System32 directory
PID:4600 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json2⤵
- Drops file in System32 directory
PID:4384 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Seven.dll3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:3740 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json2⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Seven.runtimeconfig.json3⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"2⤵
- Executes dropped EXE
PID:4804
-
C:\Windows\System32\SevenCopy.exeC:\Windows\System32\SevenCopy.exe1⤵
- Executes dropped EXE
PID:4148
-
C:\Windows\System32\SevenCopy.exeC:\Windows\System32\SevenCopy.exe1⤵
- Executes dropped EXE
PID:2296
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlhd31ln.5ze.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\System32\Seven.dllFilesize
1.0MB
MD5c2748d8495062431daf246e7cf490f7f
SHA1c28716d29cba15baea893b5747f9023dd13b3b31
SHA2564a7092478050ad8385fd7e086ed7906eebc92e568178a663949317cd72c520d0
SHA5122a73492c0632f091504d56bc330e6bddd6ef4fdffbdfc1c185ac71fd49d7fe20f7c61f9cf70fc410dce16259152595b9e1aa81a6d38d8ef592a818f30e2fd33d
-
C:\Windows\System32\Seven.runtimeconfig.jsonFilesize
340B
MD5253333997e82f7d44ea8072dfae6db39
SHA103b9744e89327431a619505a7c72fd497783d884
SHA25628329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306
SHA51256d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2
-
C:\Windows\System32\SevenCopy.exeFilesize
139KB
MD56503f847c3281ff85b304fc674b62580
SHA1947536e0741c085f37557b7328b067ef97cb1a61
SHA256afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
SHA512abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
-
memory/4248-0-0x0000015BF02C0000-0x0000015BF02E2000-memory.dmpFilesize
136KB
-
memory/4248-12-0x0000015BF02F0000-0x0000015BF0300000-memory.dmpFilesize
64KB
-
memory/4248-11-0x0000015BF02F0000-0x0000015BF0300000-memory.dmpFilesize
64KB
-
memory/4248-10-0x00007FFC80640000-0x00007FFC81101000-memory.dmpFilesize
10.8MB
-
memory/4248-13-0x0000015BF02F0000-0x0000015BF0300000-memory.dmpFilesize
64KB
-
memory/4248-16-0x00007FFC80640000-0x00007FFC81101000-memory.dmpFilesize
10.8MB