File name:

Ransomware.7ev3n.zip

Full analysis: https://app.any.run/tasks/b33b47be-bfde-47ff-9c11-cc7ddf936ef3
Verdict: Malicious activity
Analysis date: June 20, 2024, 17:58:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:

71F4666373DB57958635DE89EDB58A65

SHA1:

71B4504062E2C0C08B03E39387633FB068705DA7

SHA256:

72810CDF913169DF2B42ABAF2D34840CA04B91D640B778CA2580F744BE1DAA1D

SSDEEP:

6144:4CXgeVc8YG8ekHKb4s1pNLAsqbzZFRWqe:4CXgeVc8DjkHDKpusqRFRWqe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3384)
      • Ransomware.7ev3n.exe (PID: 3252)
      • uac.exe (PID: 3176)
      • system.exe (PID: 2960)
      • uac.exe (PID: 3832)

    • Creates a writable file in the system directory

      • wusa.exe (PID: 3716)
      • wusa.exe (PID: 3816)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 1476)

    • Changes the login/logoff helper path in the registry

      • reg.exe (PID: 1144)

    • UAC/LUA settings modification

      • reg.exe (PID: 2196)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2120)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Ransomware.7ev3n.exe (PID: 3252)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3384)
      • Ransomware.7ev3n.exe (PID: 3252)
      • uac.exe (PID: 3176)
      • system.exe (PID: 2504)
      • uac.exe (PID: 3832)
      • system.exe (PID: 2396)

    • Reads the Internet Settings

      • Ransomware.7ev3n.exe (PID: 3252)
      • cmd.exe (PID: 940)
      • uac.exe (PID: 3176)
      • system.exe (PID: 2504)
      • uac.exe (PID: 3832)
      • system.exe (PID: 2396)
      • cmd.exe (PID: 3516)

    • Executable content was dropped or overwritten

      • Ransomware.7ev3n.exe (PID: 3252)
      • system.exe (PID: 2960)
      • uac.exe (PID: 3176)
      • wusa.exe (PID: 3716)
      • uac.exe (PID: 3832)
      • wusa.exe (PID: 3816)

    • Starts itself from another location

      • Ransomware.7ev3n.exe (PID: 3252)

    • Executing commands from a ".bat" file

      • system.exe (PID: 2960)
      • system.exe (PID: 2504)
      • Ransomware.7ev3n.exe (PID: 2032)
      • system.exe (PID: 2396)

    • Starts CMD.EXE for commands execution

      • system.exe (PID: 2960)
      • uac.exe (PID: 3176)
      • system.exe (PID: 2504)
      • Ransomware.7ev3n.exe (PID: 2032)
      • uac.exe (PID: 3832)
      • system.exe (PID: 2396)

    • The executable file from the user directory is run by the CMD process

      • uac.exe (PID: 3176)
      • uac.exe (PID: 3832)

    • Process drops legitimate windows executable

      • uac.exe (PID: 3176)
      • wusa.exe (PID: 3716)
      • uac.exe (PID: 3832)
      • wusa.exe (PID: 3816)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1172)
      • cmd.exe (PID: 2528)
      • cmd.exe (PID: 568)
      • cmd.exe (PID: 4060)
      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 1892)
      • cmd.exe (PID: 3564)

  • INFO

    • Creates files or folders in the user directory

      • Ransomware.7ev3n.exe (PID: 3252)
      • system.exe (PID: 2960)
      • system.exe (PID: 2504)
      • system.exe (PID: 2396)

    • Checks supported languages

      • Ransomware.7ev3n.exe (PID: 3252)
      • system.exe (PID: 2960)
      • uac.exe (PID: 3176)
      • system.exe (PID: 2504)
      • Ransomware.7ev3n.exe (PID: 2032)
      • uac.exe (PID: 3832)
      • system.exe (PID: 2396)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3384)

    • Reads the machine GUID from the registry

      • Ransomware.7ev3n.exe (PID: 3252)
      • system.exe (PID: 2960)
      • system.exe (PID: 2504)
      • Ransomware.7ev3n.exe (PID: 2032)
      • system.exe (PID: 2396)

    • Reads the computer name

      • Ransomware.7ev3n.exe (PID: 3252)
      • system.exe (PID: 2960)
      • uac.exe (PID: 3176)
      • system.exe (PID: 2504)
      • Ransomware.7ev3n.exe (PID: 2032)
      • uac.exe (PID: 3832)
      • system.exe (PID: 2396)

    • Checks proxy server information

      • Ransomware.7ev3n.exe (PID: 3252)
      • system.exe (PID: 2504)
      • system.exe (PID: 2396)

    • Create files in a temporary directory

      • uac.exe (PID: 3176)
      • uac.exe (PID: 3832)

    • Drops the executable file immediately after the start

      • wusa.exe (PID: 3716)
      • wusa.exe (PID: 3816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2019:10:10 18:33:38
ZipCRC: 0xfaa96043
ZipCompressedSize: 146680
ZipUncompressedSize: 322560
ZipFileName: Ransomware.7ev3n.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
109
Monitored processes
44
Malicious processes
6
Suspicious processes
7

Behavior graph

Click at the process to see the details
start winrar.exe ransomware.7ev3n.exe system.exe cmd.exe no specs cmd.exe no specs uac.exe cmd.exe no specs wusa.exe no specs wusa.exe no specs wusa.exe winsat.exe no specs winsat.exe system.exe cmd.exe no specs cmd.exe schtasks.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs reg.exe reg.exe no specs reg.exe reg.exe no specs reg.exe no specs reg.exe no specs ransomware.7ev3n.exe no specs cmd.exe no specs cmd.exe no specs uac.exe cmd.exe no specs wusa.exe no specs wusa.exe no specs wusa.exe winsat.exe no specs winsat.exe system.exe cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
568C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64C:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
656C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\del.batC:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
932"C:\Windows\system32\sysprep\winsat.exe" C:\Windows\System32\sysprep\winsat.exeuac.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows System Assessment Tool
Exit code:
3221226540
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\sysprep\winsat.exe
c:\windows\system32\ntdll.dll
940"C:\Windows\System32\cmd.exe" /c wusa C:\Users\admin\AppData\Local\Temp\ellocnak.msu /extract:%windir%\system32\sysprepC:\Windows\System32\cmd.exeuac.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1144REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\admin\AppData\Local\system.exe" /f /reg:64C:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1172C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64C:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1476cmd.exe /c C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\admin\AppData\Local\bcd.bat" /RL HIGHEST /fC:\Windows\System32\cmd.exe
system.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1488"C:\Windows\system32\sysprep\winsat.exe" C:\Windows\System32\sysprep\winsat.exe
uac.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows System Assessment Tool
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\sysprep\winsat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
1892C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f C:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2032"C:\Users\admin\AppData\Local\Temp\Rar$EXb3384.13074\Ransomware.7ev3n.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3384.13074\Ransomware.7ev3n.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3384.13074\ransomware.7ev3n.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
8 910
Read events
8 707
Write events
173
Delete events
30

Modification events

(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3384) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Ransomware.7ev3n.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
14
Suspicious files
51
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3176uac.exeC:\Users\admin\AppData\Local\Temp\winsat.exeexecutable
MD5:886B0EAA3B0FE76B3204E687C8DA6F66
SHA256:B007057E6728C7E954CAEB45EAE0ADCD1C027DCB160746CCD2E78F91D18CCF80
3252Ransomware.7ev3n.exeC:\Users\admin\AppData\Local\system.exeexecutable
MD5:9F8BC96C96D43ECB69F883388D228754
SHA256:7D373CCB96D1DBB1856EF31AFA87C2112A0C1795A796AB01CB154700288AFEC5
2960system.exeC:\Users\admin\AppData\Local\uac.exeexecutable
MD5:7A681D8650D2C28D18AC630C34B2014E
SHA256:DC9A23D245F51AF512782F637CD97C29FFB0809D9245DBC1C0DFA34AE2024C21
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.10962\Ransomware.7ev3n.exeexecutable
MD5:9F8BC96C96D43ECB69F883388D228754
SHA256:7D373CCB96D1DBB1856EF31AFA87C2112A0C1795A796AB01CB154700288AFEC5
3176uac.exeC:\Users\admin\AppData\Local\Temp\powrprof.dllexecutable
MD5:F035352F9FDA534E2BF8417EFDED77DC
SHA256:150E78743248CAF78E1972A293B7AA18CF219F146CEF7B5771A76B51A9829D3A
3176uac.exeC:\Users\admin\AppData\Local\Temp\emc4A21.tmpbinary
MD5:62D51DC5BCFF56B781D9D733D1A1D752
SHA256:E57585015D03E40B0465CCC07853064E82AC4C73777B5B7CD73EB0AA5E05296E
3176uac.exeC:\Users\admin\AppData\Local\Temp\emc4A20.tmpbinary
MD5:4FC49E1A0F83A21BDC5E34B62EEB0D62
SHA256:DAFC9806A73EC7652F24F11477A71681AA82A20C56CB752943A39E360CD794A6
3176uac.exeC:\Users\admin\AppData\Local\Temp\ellocnak.msucompressed
MD5:DC9E7BE88EF2C0338F6F3AA4EC81C49D
SHA256:94EFD9E48DF496FF69695D5EAF72E23941D6C36024D3710A8DC5244FA835D545
3252Ransomware.7ev3n.exeC:\Users\admin\AppData\Local\del.battext
MD5:BBE332D102BB5662707DCEDF93972F62
SHA256:E1780F766890ED014EC38EA4EB89AB15132807EE66111F6CE1C0F947794D145F
3716wusa.exeC:\Windows\System32\sysprep\powrprof.dllexecutable
MD5:F035352F9FDA534E2BF8417EFDED77DC
SHA256:150E78743248CAF78E1972A293B7AA18CF219F146CEF7B5771A76B51A9829D3A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3252
Ransomware.7ev3n.exe
104.16.236.243:443
blockchain.info
CLOUDFLARENET
unknown
2504
system.exe
49.13.77.253:80
jaster.in
Hetzner Online GmbH
DE
unknown
2396
system.exe
104.16.236.243:443
blockchain.info
CLOUDFLARENET
unknown
2396
system.exe
49.13.77.253:80
jaster.in
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
blockchain.info
  • 104.16.236.243
  • 104.16.237.243
shared
jaster.in
  • 49.13.77.253
unknown

Threats

No threats detected
Process
Message
uac.exe
[UCM] Dll dropped successfully
winsat.exe
Fubuki at your service.
winsat.exe
Akagi letter found
winsat.exe
C:\Users\admin\AppData\Local\system.exe
uac.exe
[UCM] Dll dropped successfully
winsat.exe
Fubuki at your service.
winsat.exe
Akagi letter found
winsat.exe
C:\Users\admin\AppData\Local\system.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Ransomware.7ev3n.zip