816a19d971edfde4e6259c07da3736f542de64f024b8a849068e9099ab8d2a51

General

Target

Seven.exe
Size

139KB
MD5

6503f847c3281ff85b304fc674b62580
SHA1

947536e0741c085f37557b7328b067ef97cb1a61
SHA256

afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
SHA512

abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Executes dropped EXE 2 IoCs

pid	Process
1696	Winhost.exe
1664	Winhost.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
1	raw.githubusercontent.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Seven.dll	attrib.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5\	Winhost.exe
File created	C:\Windows\System32\Winhost.exe	cmd.exe
File opened for modification	C:\Windows\System32\Winhost.exe	attrib.exe
File created	C:\Windows\System32\Seven.dll	cmd.exe
File opened for modification	C:\Windows\System32\Seven.dll	cmd.exe
File opened for modification	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-734199974-1358367239-436541239-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpuyqadf.tmp"	Seven.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\	Winhost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	powershell.exe
3008	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3008	1368	Seven.exe	82
PID 1368 wrote to memory of 3008	1368	Seven.exe	82
PID 1368 wrote to memory of 2448	1368	Seven.exe	84
PID 1368 wrote to memory of 2448	1368	Seven.exe	84
PID 1368 wrote to memory of 4892	1368	Seven.exe	85
PID 1368 wrote to memory of 4892	1368	Seven.exe	85
PID 1368 wrote to memory of 1540	1368	Seven.exe	86
PID 1368 wrote to memory of 1540	1368	Seven.exe	86
PID 1540 wrote to memory of 4416	1540	cmd.exe	87
PID 1540 wrote to memory of 4416	1540	cmd.exe	87
PID 1368 wrote to memory of 1168	1368	Seven.exe	88
PID 1368 wrote to memory of 1168	1368	Seven.exe	88
PID 1368 wrote to memory of 4156	1368	Seven.exe	89
PID 1368 wrote to memory of 4156	1368	Seven.exe	89
PID 1368 wrote to memory of 4868	1368	Seven.exe	90
PID 1368 wrote to memory of 4868	1368	Seven.exe	90
PID 1368 wrote to memory of 648	1368	Seven.exe	91
PID 1368 wrote to memory of 648	1368	Seven.exe	91
PID 648 wrote to memory of 4872	648	cmd.exe	92
PID 648 wrote to memory of 4872	648	cmd.exe	92
PID 4868 wrote to memory of 4396	4868	cmd.exe	93
PID 4868 wrote to memory of 4396	4868	cmd.exe	93
PID 1368 wrote to memory of 1696	1368	Seven.exe	94
PID 1368 wrote to memory of 1696	1368	Seven.exe	94

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4872	attrib.exe
4396	attrib.exe
4416	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  PID:2448
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe
  2⤵
  - Drops file in System32 directory
  PID:4892
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhost.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  - Drops file in System32 directory
  PID:1168
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Drops file in System32 directory
  PID:4156
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4396
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4872
- C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:1696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2216

C:\Windows\System32\Winhost.exe
C:\Windows\System32\Winhost.exe
1⤵
- Executes dropped EXE
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkezlcty.pjx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Seven.dll

Filesize
1.0MB

MD5
caaef7e7c2cd74afce04661f036e5d70

SHA1
0038e849d8a6f2a3825c61f5c0acbfc4a4d76406

SHA256
b20fabc102563acf12595c14f51eb775fbe46dc170bdd916ef4a44c98d251819

SHA512
256d5d9193d26f375afc89793e1dbc0ab8ddc853640db3d5bbf04d51c24e40ca5cdb615b4f8c93bf1621e5e0db6788f4745a22ea242c22a182ece7ad6578e261

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json

Filesize
458B

MD5
07b9a30265ca4e69c7016a1b6e3ffc27

SHA1
3a4af82a2695b1423aedd8b60a5c86793c011b02

SHA256
c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782

SHA512
efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c

Download Submit
C:\Windows\System32\Winhost.exe

Filesize
139KB

MD5
6503f847c3281ff85b304fc674b62580

SHA1
947536e0741c085f37557b7328b067ef97cb1a61

SHA256
afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f

SHA512
abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174

Download Submit
memory/3008-9-0x0000014668630000-0x0000014668652000-memory.dmp

Filesize
136KB

Download
memory/3008-10-0x00007FFC6C250000-0x00007FFC6CD12000-memory.dmp

Filesize
10.8MB

Download
memory/3008-13-0x0000014650030000-0x0000014650040000-memory.dmp

Filesize
64KB

Download
memory/3008-12-0x0000014650030000-0x0000014650040000-memory.dmp

Filesize
64KB

Download
memory/3008-11-0x0000014650030000-0x0000014650040000-memory.dmp

Filesize
64KB

Download
memory/3008-16-0x00007FFC6C250000-0x00007FFC6CD12000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads