Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 09:00
Static task
static1
Behavioral task
behavioral1
Sample
Seven.exe
Resource
win10v2004-20240419-en
General
-
Target
Seven.exe
-
Size
139KB
-
MD5
6503f847c3281ff85b304fc674b62580
-
SHA1
947536e0741c085f37557b7328b067ef97cb1a61
-
SHA256
afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
-
SHA512
abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
-
SSDEEP
3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct
Malware Config
Signatures
-
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Seven.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Seven.exe -
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1" Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1" Seven.exe -
Blocks application from running via registry modification 1 IoCs
Adds application to list of disallowed applications.
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Seven.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Seven.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Seven.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Seven.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Seven.exe -
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" Seven.exe -
Processes:
Seven.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1" Seven.exe -
Drops file in System32 directory 9 IoCs
Processes:
cmd.execmd.exeattrib.execmd.exeattrib.exeattrib.exedescription ioc process File created C:\Windows\System32\Desktop cmd.exe File created C:\Windows\System32\Desktop cmd.exe File opened for modification C:\Windows\System32\Desktop attrib.exe File created C:\Windows\System32\Desktop cmd.exe File opened for modification C:\Windows\System32\Desktop cmd.exe File opened for modification C:\Windows\System32\Desktop cmd.exe File opened for modification C:\Windows\System32\Desktop attrib.exe File opened for modification C:\Windows\System32\Desktop attrib.exe File opened for modification C:\Windows\System32\Desktop cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3588 powershell.exe 3588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3588 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Seven.execmd.execmd.execmd.exedescription pid process target process PID 4752 wrote to memory of 3588 4752 Seven.exe powershell.exe PID 4752 wrote to memory of 3588 4752 Seven.exe powershell.exe PID 4752 wrote to memory of 3156 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 3156 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 3356 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 3356 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 60 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 60 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 3084 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 3084 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 3868 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 3868 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 4016 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 4016 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 2208 4752 Seven.exe cmd.exe PID 4752 wrote to memory of 2208 4752 Seven.exe cmd.exe PID 4016 wrote to memory of 832 4016 cmd.exe attrib.exe PID 4016 wrote to memory of 832 4016 cmd.exe attrib.exe PID 2208 wrote to memory of 3540 2208 cmd.exe attrib.exe PID 2208 wrote to memory of 3540 2208 cmd.exe attrib.exe PID 60 wrote to memory of 2620 60 cmd.exe attrib.exe PID 60 wrote to memory of 2620 60 cmd.exe attrib.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Seven.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1" Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Seven.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1" Seven.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 832 attrib.exe 3540 attrib.exe 2620 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Seven.exe"C:\Users\Admin\AppData\Local\Temp\Seven.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\Desktop C:\Users\Admin\Desktop2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\Desktop C:\Windows\System32\Desktop2⤵
- Drops file in System32 directory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Desktop2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Desktop3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\Desktop C:\Windows\System32\Desktop2⤵
- Drops file in System32 directory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\Desktop C:\Windows\System32\Desktop2⤵
- Drops file in System32 directory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Desktop2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Desktop3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Desktop2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Desktop3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5g4bwskj.u14.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\System32\DesktopFilesize
3KB
MD5f8cc12da34efc6ea8f5dbd5f695f69e1
SHA1d3f1d87f16e9bb55a8ec371efaaca53433b21618
SHA25647f9342317a90a31fb597d3bf4199dda54191b465c480ff0cdcd47169214256e
SHA512344cb3af24b34f6ed06f4f2805bbdfc0e411c638d49b5b7f44ea974d129d4c3ef65f7f24e393e5608ab5516bd6c7b571a8aafee7e17f4f9e1e060d5aaa670ec6
-
C:\Windows\System32\DesktopFilesize
4KB
MD5f1e15488b616c6f19c0345ef1d9b592a
SHA177b2968d7e1d005fa6abe83a77c2a85b57e5571d
SHA256e48c3c029542dfb6c65b5cf1e7382ddea76a1aa338abd2dcd876bb30601152ed
SHA512de357903df45f7a054c489a51a11adbd5cb1aacc5d125ab9fd1a5e6f720217404e4a729ca29a9b55e1e39b8c551bf2b4aae10136c16e60c2e1093b4909a40c37
-
C:\Windows\System32\DesktopFilesize
6KB
MD57919c011c0751a11cdb6b0b8b374c444
SHA1d0dd5ceeb428bf823c1b139321b4c0271f17f0de
SHA2562a616f29483f8dddf930aa2859cbd0ca188113b1c57a82a435cb5b1a83580de3
SHA512365e9afdbabe577ae1d6dbf5bcab5b04abadd5fb8f31afc361db501f2b7a823053890d27c658969a469402833428a347c3c01f66e6924180902a81aaaa7bc0b1
-
memory/3588-0-0x0000014F69B40000-0x0000014F69B62000-memory.dmpFilesize
136KB
-
memory/3588-10-0x00007FFE6BC80000-0x00007FFE6C741000-memory.dmpFilesize
10.8MB
-
memory/3588-13-0x0000014F69B00000-0x0000014F69B10000-memory.dmpFilesize
64KB
-
memory/3588-12-0x0000014F69B00000-0x0000014F69B10000-memory.dmpFilesize
64KB
-
memory/3588-11-0x0000014F69B00000-0x0000014F69B10000-memory.dmpFilesize
64KB
-
memory/3588-16-0x00007FFE6BC80000-0x00007FFE6C741000-memory.dmpFilesize
10.8MB