File name:

Ransomware.7ev3n.zip

Full analysis: https://app.any.run/tasks/fccd500e-f821-44fe-81c0-31766ae86f7c
Verdict: Malicious activity
Analysis date: June 28, 2024, 12:53:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:

71F4666373DB57958635DE89EDB58A65

SHA1:

71B4504062E2C0C08B03E39387633FB068705DA7

SHA256:

72810CDF913169DF2B42ABAF2D34840CA04B91D640B778CA2580F744BE1DAA1D

SSDEEP:

6144:4CXgeVc8YG8ekHKb4s1pNLAsqbzZFRWqe:4CXgeVc8DjkHDKpusqRFRWqe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3400)
      • Ransomware.7ev3n.exe (PID: 680)
      • system.exe (PID: 2440)
      • uac.exe (PID: 2408)

    • Creates a writable file in the system directory

      • wusa.exe (PID: 3084)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 2768)

    • Changes the autorun value in the registry

      • reg.exe (PID: 184)

    • Changes the login/logoff helper path in the registry

      • reg.exe (PID: 2876)

    • UAC/LUA settings modification

      • reg.exe (PID: 1420)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Ransomware.7ev3n.exe (PID: 680)
      • uac.exe (PID: 2408)
      • cmd.exe (PID: 2980)
      • system.exe (PID: 1680)

    • The process creates files with name similar to system file names

      • Ransomware.7ev3n.exe (PID: 680)

    • Executable content was dropped or overwritten

      • Ransomware.7ev3n.exe (PID: 680)
      • system.exe (PID: 2440)
      • uac.exe (PID: 2408)
      • wusa.exe (PID: 3084)

    • Reads security settings of Internet Explorer

      • Ransomware.7ev3n.exe (PID: 680)
      • uac.exe (PID: 2408)
      • system.exe (PID: 1680)

    • Starts itself from another location

      • Ransomware.7ev3n.exe (PID: 680)

    • Executing commands from a ".bat" file

      • system.exe (PID: 2440)
      • system.exe (PID: 1680)

    • Starts CMD.EXE for commands execution

      • system.exe (PID: 2440)
      • uac.exe (PID: 2408)
      • system.exe (PID: 1680)

    • The executable file from the user directory is run by the CMD process

      • uac.exe (PID: 2408)

    • Process drops legitimate windows executable

      • uac.exe (PID: 2408)
      • wusa.exe (PID: 3084)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1800)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 3312)
      • cmd.exe (PID: 324)
      • cmd.exe (PID: 1620)
      • cmd.exe (PID: 1072)

  • INFO

    • Reads the computer name

      • Ransomware.7ev3n.exe (PID: 680)
      • system.exe (PID: 2440)
      • uac.exe (PID: 2408)
      • system.exe (PID: 1680)

    • Checks supported languages

      • Ransomware.7ev3n.exe (PID: 680)
      • system.exe (PID: 2440)
      • uac.exe (PID: 2408)
      • system.exe (PID: 1680)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3400)

    • Manual execution by a user

      • Ransomware.7ev3n.exe (PID: 680)

    • Reads the machine GUID from the registry

      • Ransomware.7ev3n.exe (PID: 680)
      • system.exe (PID: 2440)
      • system.exe (PID: 1680)

    • Creates files or folders in the user directory

      • Ransomware.7ev3n.exe (PID: 680)
      • system.exe (PID: 2440)
      • system.exe (PID: 1680)

    • Checks proxy server information

      • Ransomware.7ev3n.exe (PID: 680)
      • system.exe (PID: 1680)

    • Create files in a temporary directory

      • uac.exe (PID: 2408)

    • Drops the executable file immediately after the start

      • wusa.exe (PID: 3084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2019:10:10 18:33:38
ZipCRC: 0xfaa96043
ZipCompressedSize: 146680
ZipUncompressedSize: 322560
ZipFileName: Ransomware.7ev3n.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
28
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe ransomware.7ev3n.exe system.exe cmd.exe no specs cmd.exe no specs uac.exe cmd.exe no specs wusa.exe no specs wusa.exe no specs wusa.exe winsat.exe no specs winsat.exe system.exe cmd.exe no specs cmd.exe schtasks.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs reg.exe reg.exe no specs reg.exe no specs reg.exe reg.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
184REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\admin\AppData\Local\system.exe" /f /reg:64C:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
324C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64C:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
568C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\admin\AppData\Local\bcd.bat" /RL HIGHEST /fC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
680"C:\Users\admin\Desktop\Ransomware.7ev3n.exe" C:\Users\admin\Desktop\Ransomware.7ev3n.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\ransomware.7ev3n.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1072C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64C:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1420REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1620C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\admin\AppData\Local\system.exe" /f /reg:64C:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1680C:\Users\admin\AppData\Local\system.exeC:\Users\admin\AppData\Local\system.exe
winsat.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\system.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1800C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\admin\AppData\Local\system.exe" /f /reg:64C:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2080C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\del.batC:\Windows\System32\cmd.exesystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 567
Read events
6 447
Write events
102
Delete events
18

Modification events

(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3400) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Ransomware.7ev3n.zip
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3400) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
8
Suspicious files
38
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3400WinRAR.exeC:\Users\admin\Desktop\Ransomware.7ev3n.exeexecutable
MD5:9F8BC96C96D43ECB69F883388D228754
SHA256:7D373CCB96D1DBB1856EF31AFA87C2112A0C1795A796AB01CB154700288AFEC5
2408uac.exeC:\Users\admin\AppData\Local\Temp\winsat.exeexecutable
MD5:886B0EAA3B0FE76B3204E687C8DA6F66
SHA256:B007057E6728C7E954CAEB45EAE0ADCD1C027DCB160746CCD2E78F91D18CCF80
2408uac.exeC:\Users\admin\AppData\Local\Temp\emc64CC.tmpbinary
MD5:4FC49E1A0F83A21BDC5E34B62EEB0D62
SHA256:DAFC9806A73EC7652F24F11477A71681AA82A20C56CB752943A39E360CD794A6
680Ransomware.7ev3n.exeC:\Users\admin\AppData\Local\del.battext
MD5:559198D09332E2D0BE52B0B0D28F15A4
SHA256:59A88EB4A9C022183B146698E133EC4A2D8F55E6F7D18494B847179D9D2EB8AF
2440system.exeC:\Users\admin\AppData\Local\uac.exeexecutable
MD5:7A681D8650D2C28D18AC630C34B2014E
SHA256:DC9A23D245F51AF512782F637CD97C29FFB0809D9245DBC1C0DFA34AE2024C21
2408uac.exeC:\Users\admin\AppData\Local\Temp\emc64CD.tmpbinary
MD5:C2A0056831D6019738BB7E50B73ED8B6
SHA256:643CB09D0DD3A91648AF924BCBDDB4BF612297A81D1A8D6067DEF301AB4F34F2
2408uac.exeC:\Users\admin\AppData\Local\Temp\emc64CE.tmpbinary
MD5:39C8E62DC7158D24AB6DFF87200C5386
SHA256:17F4D890E57082463F7267E4768210A77690952223A4F37B871AE3EA76912358
2408uac.exeC:\Users\admin\AppData\Local\Temp\emc64D0.tmpbinary
MD5:A7F30B548064E90EB78A31EA25365C62
SHA256:886F45A01E33622362828D49D0EDAADD59D8760A0581095B42916055059B50A4
2408uac.exeC:\Users\admin\AppData\Local\Temp\powrprof.dllexecutable
MD5:F035352F9FDA534E2BF8417EFDED77DC
SHA256:150E78743248CAF78E1972A293B7AA18CF219F146CEF7B5771A76B51A9829D3A
1680system.exeC:\Users\admin\AppData\Local\bcd.battext
MD5:D20A8A43094EA0DBD522BBCD49532502
SHA256:1ACD8FA1BB77825270ABB801B6FEF7CFB02598E4EB77911722CC1D389B4CF318
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
14
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
680
Ransomware.7ev3n.exe
104.16.236.243:443
blockchain.info
CLOUDFLARENET
unknown
1680
system.exe
49.13.77.253:80
jaster.in
Hetzner Online GmbH
DE
unknown
1060
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
blockchain.info
  • 104.16.236.243
  • 104.16.237.243
shared
jaster.in
  • 49.13.77.253
unknown

Threats

No threats detected
Process
Message
uac.exe
[UCM] Dll dropped successfully
winsat.exe
Fubuki at your service.
winsat.exe
Akagi letter found
winsat.exe
C:\Users\admin\AppData\Local\system.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Ransomware.7ev3n.zip