hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n[.]zip

Resubmissions

19/02/2025, 03:42

250219-d9pqsswnbp 8

19/02/2025, 03:32

250219-d3vy8swmbn 10

Analysis

max time kernel
89s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2025, 03:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip

Score

10^/10

defense_evasion discovery persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
4428	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
55	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "127"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844095621998829"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4008	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
832	chrome.exe
832	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
832	chrome.exe
832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe
Token: SeShutdownPrivilege	832	chrome.exe
Token: SeCreatePagefilePrivilege	832	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2392	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 4612	832	chrome.exe	83
PID 832 wrote to memory of 4612	832	chrome.exe	83
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 1812	832	chrome.exe	85
PID 832 wrote to memory of 2704	832	chrome.exe	86
PID 832 wrote to memory of 2704	832	chrome.exe	86
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87
PID 832 wrote to memory of 4560	832	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bf84cc40,0x7ff8bf84cc4c,0x7ff8bf84cc58
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4400,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4484,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4520,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:5088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1012

C:\Users\Admin\Downloads\7ev3n\[email protected]
"C:\Users\Admin\Downloads\7ev3n\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:1568
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3588
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4008
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      System Location Discovery: System Language Discovery
      PID:1008
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3376
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4580
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4732
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:5004
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1832
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:3868
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3816
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3128
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3764
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394a055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8df3466966406ba8b8f2473bf7e79cb2

SHA1
7ff09c4206882683c96c8cf2c0f76a1a56f0093a

SHA256
d153ccd519f08db148cb5d8498fb26fe34e39f17ea44d08fb0797bf231f83910

SHA512
fe7cfd1a5cd1a409668085acc1f8df2839d35ea8bdb842cbaf5baaaec8a04901b5c109644676f5a81866142dbb625d59d2d4030bcbea4c94ce11866a92b44ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ab341eea0de28712579bc71b6c283ef2

SHA1
6cae1e4497396a496366482f020a97c8608992bc

SHA256
abc5efd492763e2795278ba76be549d586d073ead44fce73588d50dc96bf15cb

SHA512
733e6625fe685c3b595efe9fa0c0822a5ac66ce4040a5c040e43012d6046906a8c6b02ba89a24a862b31cbc07762fa3c3d3c14ce61475be6d3812d85f59c5a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\9271e8a4-6265-4b39-a67a-295decb159d3.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c48519e7fa33ef5128b07e37f76f80b8

SHA1
d55440838392c4e3e811d49076a2b9fa0292cdf9

SHA256
f6a1cc9a24edfc6f1a148dad1f806f6feae22712d2d0d94bef8d3edb2bea5cd5

SHA512
e7fb0bbd96e668a94b7cf10228b90c41f08f46983905c2e1b0626826d0105e23dd676cfa27156cd585ff53c90b99706b48419f266850de09b13201eb50b4cd14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2d25c16f1509ba32b4d05fb0aac99daf

SHA1
ae2036b18e82efe1f3970bfd0b020955886ff76c

SHA256
8e9c7fb280cb4b077c642a454c569c964f5c0442761b369946fa76945389d7b2

SHA512
8489209b3799b784f4f1c9b287b2017d8e7ea57e003995b3f8ae7315d927506462c3ef92a54b78e9dddd3ee3b418b237693edda8f54811290821bae2b56e74fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
de98027561de5a829fa689dd7fbdd2a1

SHA1
0983cbffc1d68d9a4cc62b295b74195cc92c0752

SHA256
067ee05204caf23cb5451d31e84c3c14555350a1b021216f3118c37be544f60e

SHA512
40ccd5b05166e20de2135d676c8bf2c3e5ba3b9c4c111829e9d6a547f4450feafaee0c27d76b15dc6293add7cc1b441612f04084e88692292d4c61c9bf3c5d60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dae25e145b21da7c1535363e2ee028d9

SHA1
c5ddd123394c5c4a154b1bda048444970a237740

SHA256
a41445e693ecc4400d3844eac2705426cf85a59fa68cd437c213c0e6c4b1443b

SHA512
9314311788e3da06de48f592fccc5ce0e8b12ee04713b47ef495f9154720a6d71892c281c118d2b58eab7538da95145455169d7645aff2c26e554470babede70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4b50024bdd303a32c33a2c52545f245c

SHA1
e3008ac4a41f289e00a672e1aab54144724a5799

SHA256
099e64c90d3bcbaf16ed795c9eaf3e738fe74d9e502614cdd87329baf359d6e5

SHA512
c3915afff129b618b8258a2011c31c29d4d3359714991aceba47d48d68a76fc78e2fdec977a2bae3c327f5213a56ef68d0b1d6ae3908b6decdc16a316c969d9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d4a48b13197918e78a68b07ef123edda

SHA1
a17524c526174b03a1e88af8fa309b771dd868d9

SHA256
1616b047b454f1e48088a2a715404872f8c948c26cc8d8db1d5dc6f82ccd0c03

SHA512
ceda1bee1a69f500be37afeb553ee69d3c6a999ccbb9bfda9659be865b901433a87a06a55438382861e993b6ab9b9b3ebe17e669f0ca1898828bd5ffa47a523e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0836288f2327fb535ebfcae68e356cbf

SHA1
57cee754fb7460a13e283f096ac78d359d6d555b

SHA256
58a067ac37bb5e65ac74e9332c12aba7433495fd6da94d3e4ef72afddd70331c

SHA512
896197080fc4b89899a29d02754d57f9ead88e3a6d6d14f79f4ba70aa4485cf5f22f7894a839dbbb81a9a52c2f2fd6e2d91b35a1824de5c45cbe51c9086adbd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
486f80da0eb61ead80f2e2a1d9de855b

SHA1
eb86173a59e96a03ebc95bb0fd7b40541b56a4c5

SHA256
aa0e91f569b24712e0f508ce81a8dea02b3ec1883696542af6acac338edc88f0

SHA512
cd8a8f3561b7662f95110cc0c7155a768ee401c74ede87da94fc52d27ddbc379c5a3945c50a62ed40e305027063d6378cbd647a1709df8c8c30c461691fff147

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b4915ad76e988345ec0e116d903fb70

SHA1
34997a829bf912961167ce569d1ba830d66a2292

SHA256
4279ed55bf8a5d791689857a4785eab6fc21cdad897920ff505157ef7b068b49

SHA512
8ad7522f602cf1bc121aa152408ba0e68b6f4674f0748570611eeb1d33b2a3ec3d1bf3059f0749fcf7fa5722ed5815007207e519d76d2cc82db9ed2517b17aa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
067601ffa8067911403cba58889d11a7

SHA1
678f82c66fdb94075ea65f7a3e9d477dea89b6d0

SHA256
11d3c92458ea9ce5782e4df24e94602f61b7cf83d24c7922a0f70c76ae98b48d

SHA512
6153de328d2fc8c7dead2978c6bcd75c55011a4120582bd29afe0c9d485d71c20d2e3ff81f37c8841f9eaf3230e8b35ae73c8dd072c2d25978781b10eb5780d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0102d91a623e15906cd547dab7355f5

SHA1
12edc8e1e5376d249f1bf10bf0a6d7712316fbda

SHA256
1e45190cbd5af9ab127eb0ca6a8f0c532aaf90845fc709dc6c3acb131ddf2e87

SHA512
fcb9cd7b1a62b8c6a7aa83d2ef8545a5a347245e8f4b1e0be71867c8fbd0ea675e3e77741503a2f24deca49540214c8820869aae101168fe7b47ccde723f26d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddbff3521337081c42778300ad4afa7d

SHA1
8df829dcd5c4c4f22cab073687b898c0cca99497

SHA256
fa20634eb21277699715a297ff39ebb34e3196259a24bc3423e1cc0ee4993857

SHA512
165a9703c1e1eae189bd600c9033af9046527b4f73036a1ed05d9ec232527f4bb8e19b86a43f74b2fd77b18101d774c29412b318d41809463774890380beae97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
787ee441b46b0af458c3a7b71eeca6f3

SHA1
4ab85208a0dc12cf6824ea952cd95d8d3504bca6

SHA256
41557745e83e45fda19dc1d7c294d1d5d6f105e927b546efec67ed6106e379ea

SHA512
dd2608b5b3c14cc1cd252246c29a98a49c5a1e11439b7bc6ad791e171a6e3bf75629114806813dbcadfb8e1ac068019c575b69c2dcd61c1d8ef1a9f6a4b47e06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
32ad66000161a0a86ea51a094a278357

SHA1
c29f3e712234231821212cb7229ca602464cf01d

SHA256
9e5b1be808b69115a7b09aa21305dcfa3b91d8ce86b9041b62187753658aeb45

SHA512
449433e3a4c7b397782d2adcbea97977c797db7f3401a32c0eb488244967d6dcad3bcd578577365ac4ff329aa2545ea723c174f49e7b06881df9477a7b224e31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
067fc05883f8d4c43d6ae27522032254

SHA1
8c51dade61053c4a31f462e8098a0b1a92f8ba89

SHA256
2023561f5228b3f71a64a355fc4c7c753503f63f70d7a2b9d585ebcbaacdc25e

SHA512
20743ec0aa04704751b7f472dc670be36bdc499f2c26596dafa2f6f10734db9e695d36069584a3ff1db3d6a065f3f0434c8c4f14b2054698b80f0bf45ff5ed44

Download Submit
C:\Users\Admin\AppData\Local\del.bat

Filesize
73B

MD5
d3c830e076f1218799413e6a2440d0f9

SHA1
b66fa7a6aaca9263fb5f80364a52fdaffe725092

SHA256
a0dceeff45a8998138fe2d61be9e4ecea705b142a81a91999366e85f24edcb9f

SHA512
c7e3bd78d17db59bfe9547d396d2a7569c1ba17a1949cdbaecb09e0a032d616e19e76a1bfb07871f535b37fcfbecc6aa70d2e02c2ad1098a6905415e36fdebcc

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
241d4d31aa75b39e5a3930f2a6adc8cc

SHA1
3d2c48814cc3c9ee22b1103200d5ee91a3115129

SHA256
c2041dea944f2446c698e5f1ca552cef4f8397f0e292bd2777ea0bee25fd3aaa

SHA512
a622482d7c654fbd804f0a8e7fe0d239d84ab4973bf22e0171e2fe9db30db6d3e797b9dc5ce5b5a81d9563da0ce859d6187fcd660ca60dd1814c38c9520ca072

Download Submit
C:\Users\Admin\Downloads\7ev3n.zip

Filesize
64KB

MD5
0bab88d4102ed6a6a368488a0c6d111a

SHA1
924e0f920694049d4731304dbaa874c91538200a

SHA256
1a5d32dc3658791366cdcdc120bd4451851b7f94df318a235084fe55adef5524

SHA512
afa37f659cef1991415782ea7f123362159685d2b87a59c7548c945c4d68d37d345247ea88115e0f9f2917bb9a132315aa5ca2b3ad7effab103d7d1269c0adff

Download Submit
C:\Users\Admin\Downloads\7ev3n.zip.crdownload

Filesize
139KB

MD5
c6f3d62c4fb57212172d358231e027bc

SHA1
11276d7a49093a51f04667975e718bb15bc1289b

SHA256
ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c

SHA512
0f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44

Download Submit
C:\Users\Admin\Downloads\Birele.zip.crdownload

Filesize
113KB

MD5
6ca327b67f1a2b2a4fbb7f342e15e7bf

SHA1
aab4a7d8199e8416ad8649fede35b846fc96f082

SHA256
460a3e3a039c2d0bb2c76017b41403bf3e92727269f49b08778d33108278b58f

SHA512
b7a7574ca52885e531aca71ebe52f7832f8a2436cda047e7686936fe0337eae7c4ebcc57df27c26316871d4167ea4e6794beb933f7c13efb0addac0d400e4d9a

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads