Overview

overview

10

Static

static

3

Seven.exe

windows10-2004-x64

1

Seven.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Seven.exe

  • Size

    139KB

  • MD5

    6503f847c3281ff85b304fc674b62580

  • SHA1

    947536e0741c085f37557b7328b067ef97cb1a61

  • SHA256

    afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f

  • SHA512

    abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174

  • SSDEEP

    3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Blocks application from running via registry modification 1 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Seven.exe
    "C:\Users\Admin\AppData\Local\Temp\Seven.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • UAC bypass
    • Blocks application from running via registry modification
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1496
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1748
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C copy C:\Users\Admin\Desktop C:\Users\Admin\Desktop
      2⤵
        PID:2492
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\Desktop C:\Windows\System32\Desktop
        2⤵
        • Drops file in System32 directory
        PID:2668
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C attrib +h C:\Windows\System32\Desktop
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Windows\system32\attrib.exe
          attrib +h C:\Windows\System32\Desktop
          3⤵
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:4056
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\Desktop C:\Windows\System32\Desktop
        2⤵
        • Drops file in System32 directory
        PID:5056
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C copy C:\Users\Admin\Desktop C:\Windows\System32\Desktop
        2⤵
        • Drops file in System32 directory
        PID:4924
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C attrib +h C:\Windows\System32\Desktop
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\system32\attrib.exe
          attrib +h C:\Windows\System32\Desktop
          3⤵
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:5068
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C attrib +h C:\Windows\System32\Desktop
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\system32\attrib.exe
          attrib +h C:\Windows\System32\Desktop
          3⤵
          • Drops file in System32 directory
          • Views/modifies file attributes
          PID:2344

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zqqub45.p2y.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\System32\Desktop
      Filesize

      354B

      MD5

      c71d8db501d12627c4c20c062f3a54c8

      SHA1

      c51dc4249f7f336482b8fc1bb66d88a08e1145f6

      SHA256

      bef68b383ef167cf68c8b882235ee2a27a85f399308bf42e65e4cd5052fe517a

      SHA512

      aaa7584961a2d1353bc14c4fe8bf765b04dab8c6d49cecb24fb583339f672c96de280db37565af0d01a952f8662c9efe55651280b03d4ec6b35e9920af73a5ec

      Download Submit

    • C:\Windows\System32\Desktop
      Filesize

      4KB

      MD5

      80193f0130b4b3f688535acbdd535a74

      SHA1

      98a1e9b946979ea6fdf112bdb77f3f22d449fd66

      SHA256

      d456a9ca72176f99830ca9634560dc9e3850f40ef487d90f672e01c0094b3b62

      SHA512

      e9256f6d5425d47509a5b149ae03df90a3d1f78f84704543962bd9b04a04f0ccfae8296dba53fd98d8d308bbbbe9d34af66ed56e5b0d23df057d0ebdc1066d23

      Download Submit

    • memory/1748-0-0x0000028AD5320000-0x0000028AD5342000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1748-10-0x00007FFF73B20000-0x00007FFF745E1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1748-12-0x0000028AD4BB0000-0x0000028AD4BC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1748-11-0x0000028AD4BB0000-0x0000028AD4BC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1748-15-0x00007FFF73B20000-0x00007FFF745E1000-memory.dmp

      Filesize

      10.8MB

      Download