Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/05/2024, 16:42
240507-t7tjzaeh9s 1007/05/2024, 16:12
240507-tnt2dseb4v 1007/05/2024, 16:09
240507-tlvj5sea61 1Analysis
-
max time kernel
40s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07/05/2024, 16:42
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 17 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/7ev3n.exe1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde36bcc40,0x7ffde36bcc4c,0x7ffde36bcc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1892 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2364 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2084,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2524 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3156 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4644,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4684 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4980,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5004 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5028,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5172 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5440,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5368 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,17818258221053402653,15362407342097811870,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5020 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\7ev3n.exe"C:\Users\Admin\Downloads\7ev3n.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3966855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD57e74d4795d6a8fdff26ebc9f0fcfdfc5
SHA18deef30970e130487f07222a7d6401fde1537a12
SHA25683f6e1f24675f1126b33810f280e04ec2fd7a4023afedd3f7639880e27e97f06
SHA512911bc63a1b87114e5203420075f02db6e9e780e8dba59fe17257c6d93961337ec7e030cb10b527aa7dfaa3e4dd1971a15a5a3fe39d16f0fe7ac04e5d39cce3cb
-
Filesize
1KB
MD54bd1d2eebe4a95dc571285b947e420c4
SHA1308329c9db5537407a470bfc388cfa1b022b43a3
SHA256d52632e60b3fd437d73025f6b512035b7d84be74958b7aaaf3cbbfd5e81e3b91
SHA512874045e595eb70ec44860700ec6185eda96d831e6dead77f76e9f8339c9540554005fadbe73f4061dec0fe8439e7b04b6476b0f7e83e97dceec25599484ca4bf
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5f73f3c83ee519b0aabc42b7f37bec32f
SHA1c8c0343683b6844bb628f6f5335706aa769fbbb5
SHA256a0d10a2b6ef1f112d28a5f93f1c0913744905ad84eba2df0819db6281e2f0fb6
SHA51277371f868cdbaec00614e933f65c120cbdbd6ce54834aad5ca04dd4c385270b71dbca1abafba8fe51a15dd90a1ece49341a9459c0bf403310197cf6e1da7929b
-
Filesize
9KB
MD589f00803596bf57f1bd788b9cb17f97f
SHA1439eeaa837afe6bc3a94b8b243f88498f6a14161
SHA256e60fdce748de099142f7471a6e2d80aa54b1f47c72daf9a8803075b7e59cd6a1
SHA5122f8ad305d1c18f017b6d681450b39592a0b0e2e339fc64eb175dd89d2592255b82afc4d93b7fb75dc017461f0d79852989d160613cdec21d7964ce39769f24d2
-
Filesize
9KB
MD52af066f17602d6afc32187543a8446d5
SHA16e2c9048548ea5deb314d519eb168956e67a3529
SHA2560db8e5c5ccd84a2ec3cdb554da444cd326ce7bf4b7c32d0508604377835d0b5d
SHA51298327bf002444d5705fa46a2461a4cb6766c45824e2a950febd1301e5c1ee39fcc1a5035f0f5f22285369f5845d95982a7b619f4a0f956a5275f0f8b595a141a
-
Filesize
10KB
MD5e3595123fcc7e807de58ab46c4062818
SHA1c1edf14f9d4f8a197e6b2a7a93dc314a2b386784
SHA2563bd85e148dc478f9dd792826bd62329b958be9792b719990f1f063abd95227c0
SHA5127dbdbc6c9628513e235e3e1ad2e289978c8f5f79399a90e9245afffb54a2aa317717e6989587614a31e4193dcb8ad66e7244bd980d896e327958929311a1352f
-
Filesize
77KB
MD5ca07bb610f3fa6815b561841c7b171ae
SHA1022a2814c0af71951e09fc1483609d15ebf0a6a4
SHA256a0507e2affaad9216f831175dbb1ee5dd3417981de7ecdd5d042a3313c1ee0b4
SHA51207fd2136ec31eb16def540d79498b6c380381e9ce3fee0a4f66a8579664a4b012282ed3520383a0943a93007c67b8165d70611d23c37c23f72e22123a58d2b93
-
Filesize
77KB
MD5b285953df4764e7df7e7bad7ca2cc931
SHA1466413c8d7a0b28bdb92271dd3d29d1de396e511
SHA256f82781e20ac0016a64db4608a641d8d55fd4e7e98ee44cd443e9871079154937
SHA512b15023e6229f13e42b79c667009d4b70197d892a05b0505a6eb46e91b07421632375a886de21a92c9d1c742fad492c6893f74674bcd955021e110bbeb0abaa9f
-
Filesize
56B
MD5f62904abb27a3574e2e6121349ab4955
SHA135b3504f1d6bc88638a0721cf3d898eb0f95092a
SHA256d31225722321313554e736bcd9debc4cb4c5ed6dce3921fa7839162fede832b6
SHA512e8d1cf4c6a745790b2eaf4b3618703337313e3f561ba88982bc1a139aa4b5b29fd5f78f925e5bd12669eed74ca78510f6d6b1ce091bc55299057d2b2e867fb4e
-
Filesize
315KB
MD51ca3659a54277f023deb1866b8fdb383
SHA1898e643b793bfc6d830e6789cc9600d7ce7ebe1c
SHA256ad75779a0a60ea62d593e3e71f3ff0f54c003b3e5feb12181041864942b613b6
SHA5129387ad15c0425a7dea63b6a4e8246e2d3429e3e9f3dabb494339f8deff3c7e59952a9617c0aa31a59462e11578fedb491881c3fb12a3990969ed4e988ce1f066
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6