Analysis
-
max time kernel
89s -
max time network
90s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
19/02/2025, 03:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip
Resource
win10v2004-20250217-en
Behavioral task
behavioral2
Sample
https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip
Resource
win10ltsc2021-20250217-en
Errors
General
-
Target
https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Executes dropped EXE 1 IoCs
pid Process 4428 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 55 raw.githubusercontent.com 56 raw.githubusercontent.com 57 raw.githubusercontent.com -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "127" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844095621998829" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4008 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 832 chrome.exe 832 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 832 chrome.exe 832 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe Token: SeShutdownPrivilege 832 chrome.exe Token: SeCreatePagefilePrivilege 832 chrome.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe 832 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2392 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 832 wrote to memory of 4612 832 chrome.exe 83 PID 832 wrote to memory of 4612 832 chrome.exe 83 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 1812 832 chrome.exe 85 PID 832 wrote to memory of 2704 832 chrome.exe 86 PID 832 wrote to memory of 2704 832 chrome.exe 86 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87 PID 832 wrote to memory of 4560 832 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bf84cc40,0x7ff8bf84cc4c,0x7ff8bf84cc582⤵PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1860 /prefetch:22⤵PID:1812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2164 /prefetch:32⤵PID:2704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2476 /prefetch:82⤵PID:4560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:1480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:12⤵PID:2132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4400,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:82⤵PID:408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4484,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4856 /prefetch:82⤵PID:4424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4520,i,16184203887209299245,8001095079501833882,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5308 /prefetch:82⤵PID:5088
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1572
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1012
-
C:\Users\Admin\Downloads\7ev3n\[email protected]"C:\Users\Admin\Downloads\7ev3n\[email protected]"1⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
- System Location Discovery: System Language Discovery
PID:3588
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4008
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:1008
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4580
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4732 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2824
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:5004
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:3868
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3816 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:4372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
- System Location Discovery: System Language Discovery
PID:3764 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394a055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2392
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:4108
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58df3466966406ba8b8f2473bf7e79cb2
SHA17ff09c4206882683c96c8cf2c0f76a1a56f0093a
SHA256d153ccd519f08db148cb5d8498fb26fe34e39f17ea44d08fb0797bf231f83910
SHA512fe7cfd1a5cd1a409668085acc1f8df2839d35ea8bdb842cbaf5baaaec8a04901b5c109644676f5a81866142dbb625d59d2d4030bcbea4c94ce11866a92b44ef8
-
Filesize
1KB
MD5ab341eea0de28712579bc71b6c283ef2
SHA16cae1e4497396a496366482f020a97c8608992bc
SHA256abc5efd492763e2795278ba76be549d586d073ead44fce73588d50dc96bf15cb
SHA512733e6625fe685c3b595efe9fa0c0822a5ac66ce4040a5c040e43012d6046906a8c6b02ba89a24a862b31cbc07762fa3c3d3c14ce61475be6d3812d85f59c5a47
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\9271e8a4-6265-4b39-a67a-295decb159d3.tmp
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD5c48519e7fa33ef5128b07e37f76f80b8
SHA1d55440838392c4e3e811d49076a2b9fa0292cdf9
SHA256f6a1cc9a24edfc6f1a148dad1f806f6feae22712d2d0d94bef8d3edb2bea5cd5
SHA512e7fb0bbd96e668a94b7cf10228b90c41f08f46983905c2e1b0626826d0105e23dd676cfa27156cd585ff53c90b99706b48419f266850de09b13201eb50b4cd14
-
Filesize
3KB
MD52d25c16f1509ba32b4d05fb0aac99daf
SHA1ae2036b18e82efe1f3970bfd0b020955886ff76c
SHA2568e9c7fb280cb4b077c642a454c569c964f5c0442761b369946fa76945389d7b2
SHA5128489209b3799b784f4f1c9b287b2017d8e7ea57e003995b3f8ae7315d927506462c3ef92a54b78e9dddd3ee3b418b237693edda8f54811290821bae2b56e74fd
-
Filesize
1KB
MD5de98027561de5a829fa689dd7fbdd2a1
SHA10983cbffc1d68d9a4cc62b295b74195cc92c0752
SHA256067ee05204caf23cb5451d31e84c3c14555350a1b021216f3118c37be544f60e
SHA51240ccd5b05166e20de2135d676c8bf2c3e5ba3b9c4c111829e9d6a547f4450feafaee0c27d76b15dc6293add7cc1b441612f04084e88692292d4c61c9bf3c5d60
-
Filesize
1KB
MD5dae25e145b21da7c1535363e2ee028d9
SHA1c5ddd123394c5c4a154b1bda048444970a237740
SHA256a41445e693ecc4400d3844eac2705426cf85a59fa68cd437c213c0e6c4b1443b
SHA5129314311788e3da06de48f592fccc5ce0e8b12ee04713b47ef495f9154720a6d71892c281c118d2b58eab7538da95145455169d7645aff2c26e554470babede70
-
Filesize
1KB
MD54b50024bdd303a32c33a2c52545f245c
SHA1e3008ac4a41f289e00a672e1aab54144724a5799
SHA256099e64c90d3bcbaf16ed795c9eaf3e738fe74d9e502614cdd87329baf359d6e5
SHA512c3915afff129b618b8258a2011c31c29d4d3359714991aceba47d48d68a76fc78e2fdec977a2bae3c327f5213a56ef68d0b1d6ae3908b6decdc16a316c969d9d
-
Filesize
1KB
MD5d4a48b13197918e78a68b07ef123edda
SHA1a17524c526174b03a1e88af8fa309b771dd868d9
SHA2561616b047b454f1e48088a2a715404872f8c948c26cc8d8db1d5dc6f82ccd0c03
SHA512ceda1bee1a69f500be37afeb553ee69d3c6a999ccbb9bfda9659be865b901433a87a06a55438382861e993b6ab9b9b3ebe17e669f0ca1898828bd5ffa47a523e
-
Filesize
9KB
MD50836288f2327fb535ebfcae68e356cbf
SHA157cee754fb7460a13e283f096ac78d359d6d555b
SHA25658a067ac37bb5e65ac74e9332c12aba7433495fd6da94d3e4ef72afddd70331c
SHA512896197080fc4b89899a29d02754d57f9ead88e3a6d6d14f79f4ba70aa4485cf5f22f7894a839dbbb81a9a52c2f2fd6e2d91b35a1824de5c45cbe51c9086adbd9
-
Filesize
9KB
MD5486f80da0eb61ead80f2e2a1d9de855b
SHA1eb86173a59e96a03ebc95bb0fd7b40541b56a4c5
SHA256aa0e91f569b24712e0f508ce81a8dea02b3ec1883696542af6acac338edc88f0
SHA512cd8a8f3561b7662f95110cc0c7155a768ee401c74ede87da94fc52d27ddbc379c5a3945c50a62ed40e305027063d6378cbd647a1709df8c8c30c461691fff147
-
Filesize
9KB
MD50b4915ad76e988345ec0e116d903fb70
SHA134997a829bf912961167ce569d1ba830d66a2292
SHA2564279ed55bf8a5d791689857a4785eab6fc21cdad897920ff505157ef7b068b49
SHA5128ad7522f602cf1bc121aa152408ba0e68b6f4674f0748570611eeb1d33b2a3ec3d1bf3059f0749fcf7fa5722ed5815007207e519d76d2cc82db9ed2517b17aa0
-
Filesize
9KB
MD5067601ffa8067911403cba58889d11a7
SHA1678f82c66fdb94075ea65f7a3e9d477dea89b6d0
SHA25611d3c92458ea9ce5782e4df24e94602f61b7cf83d24c7922a0f70c76ae98b48d
SHA5126153de328d2fc8c7dead2978c6bcd75c55011a4120582bd29afe0c9d485d71c20d2e3ff81f37c8841f9eaf3230e8b35ae73c8dd072c2d25978781b10eb5780d1
-
Filesize
9KB
MD5e0102d91a623e15906cd547dab7355f5
SHA112edc8e1e5376d249f1bf10bf0a6d7712316fbda
SHA2561e45190cbd5af9ab127eb0ca6a8f0c532aaf90845fc709dc6c3acb131ddf2e87
SHA512fcb9cd7b1a62b8c6a7aa83d2ef8545a5a347245e8f4b1e0be71867c8fbd0ea675e3e77741503a2f24deca49540214c8820869aae101168fe7b47ccde723f26d9
-
Filesize
9KB
MD5ddbff3521337081c42778300ad4afa7d
SHA18df829dcd5c4c4f22cab073687b898c0cca99497
SHA256fa20634eb21277699715a297ff39ebb34e3196259a24bc3423e1cc0ee4993857
SHA512165a9703c1e1eae189bd600c9033af9046527b4f73036a1ed05d9ec232527f4bb8e19b86a43f74b2fd77b18101d774c29412b318d41809463774890380beae97
-
Filesize
123KB
MD5787ee441b46b0af458c3a7b71eeca6f3
SHA14ab85208a0dc12cf6824ea952cd95d8d3504bca6
SHA25641557745e83e45fda19dc1d7c294d1d5d6f105e927b546efec67ed6106e379ea
SHA512dd2608b5b3c14cc1cd252246c29a98a49c5a1e11439b7bc6ad791e171a6e3bf75629114806813dbcadfb8e1ac068019c575b69c2dcd61c1d8ef1a9f6a4b47e06
-
Filesize
123KB
MD532ad66000161a0a86ea51a094a278357
SHA1c29f3e712234231821212cb7229ca602464cf01d
SHA2569e5b1be808b69115a7b09aa21305dcfa3b91d8ce86b9041b62187753658aeb45
SHA512449433e3a4c7b397782d2adcbea97977c797db7f3401a32c0eb488244967d6dcad3bcd578577365ac4ff329aa2545ea723c174f49e7b06881df9477a7b224e31
-
Filesize
123KB
MD5067fc05883f8d4c43d6ae27522032254
SHA18c51dade61053c4a31f462e8098a0b1a92f8ba89
SHA2562023561f5228b3f71a64a355fc4c7c753503f63f70d7a2b9d585ebcbaacdc25e
SHA51220743ec0aa04704751b7f472dc670be36bdc499f2c26596dafa2f6f10734db9e695d36069584a3ff1db3d6a065f3f0434c8c4f14b2054698b80f0bf45ff5ed44
-
Filesize
73B
MD5d3c830e076f1218799413e6a2440d0f9
SHA1b66fa7a6aaca9263fb5f80364a52fdaffe725092
SHA256a0dceeff45a8998138fe2d61be9e4ecea705b142a81a91999366e85f24edcb9f
SHA512c7e3bd78d17db59bfe9547d396d2a7569c1ba17a1949cdbaecb09e0a032d616e19e76a1bfb07871f535b37fcfbecc6aa70d2e02c2ad1098a6905415e36fdebcc
-
Filesize
315KB
MD5241d4d31aa75b39e5a3930f2a6adc8cc
SHA13d2c48814cc3c9ee22b1103200d5ee91a3115129
SHA256c2041dea944f2446c698e5f1ca552cef4f8397f0e292bd2777ea0bee25fd3aaa
SHA512a622482d7c654fbd804f0a8e7fe0d239d84ab4973bf22e0171e2fe9db30db6d3e797b9dc5ce5b5a81d9563da0ce859d6187fcd660ca60dd1814c38c9520ca072
-
Filesize
64KB
MD50bab88d4102ed6a6a368488a0c6d111a
SHA1924e0f920694049d4731304dbaa874c91538200a
SHA2561a5d32dc3658791366cdcdc120bd4451851b7f94df318a235084fe55adef5524
SHA512afa37f659cef1991415782ea7f123362159685d2b87a59c7548c945c4d68d37d345247ea88115e0f9f2917bb9a132315aa5ca2b3ad7effab103d7d1269c0adff
-
Filesize
139KB
MD5c6f3d62c4fb57212172d358231e027bc
SHA111276d7a49093a51f04667975e718bb15bc1289b
SHA256ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c
SHA5120f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44
-
Filesize
113KB
MD56ca327b67f1a2b2a4fbb7f342e15e7bf
SHA1aab4a7d8199e8416ad8649fede35b846fc96f082
SHA256460a3e3a039c2d0bb2c76017b41403bf3e92727269f49b08778d33108278b58f
SHA512b7a7574ca52885e531aca71ebe52f7832f8a2436cda047e7686936fe0337eae7c4ebcc57df27c26316871d4167ea4e6794beb933f7c13efb0addac0d400e4d9a