t1happy | 84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b

General

Target

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
Size

34KB
MD5

fcf5c8e8a180c66e15ea22128dd0adfb
SHA1

d4f0c114ffe12e343739fb837d24dc31dfab985c
SHA256

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b
SHA512

f06645c73bfc87061c4561b8cacb6c782493e5d39cd29971d71b0c38578296b81f9c2b54ca0415e15e5fd49755b7fa612f244b9e68fe8f21fc9db60c5f89b2e9

Score

10^/10

persistence trojan ransomware t1happy spyware

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

description pid process

Token: SeDebugPrivilege 2024 84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

description	pid	process
Token: SeDebugPrivilege	2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

Suspicious behavior: EnumeratesProcesses 1561 IoCs

Processes:

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

pid	process
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops desktop.ini file(s) 15 IoCs

Processes:

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\Desktop\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

description	pid	process	target process
PID 2024 wrote to memory of 1512	2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe	WMIC.exe
PID 2024 wrote to memory of 1512	2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe	WMIC.exe
PID 2024 wrote to memory of 1512	2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe	WMIC.exe
PID 2024 wrote to memory of 1512	2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe	WMIC.exe
PID 2024 wrote to memory of 1676	2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe	cmd.exe
PID 2024 wrote to memory of 1676	2024	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

1768 NOTEPAD.EXE
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org

pid	process
1768	NOTEPAD.EXE

flow	ioc
3	api.ipify.org
4	api.ipify.org

Drops file in Program Files directory 1356 IoCs

Processes:

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Mail\wabfind.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STSUPLD.DLL	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\InkObj.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\sbdrop.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pencht.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLPROXY.DLL	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1px.gif	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Common Files\System\wab32.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Common Files\System\ado\msado27.tlb	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\connectionmanager_dmr.xml	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Internet Explorer\JSProfilerCore.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\digest.s	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Common Files\System\ado\msader15.dll	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
trojan ransomware t1happy
Makes http(s) request 1 IoCs
Contacts server via http/https, possibly for C2 communication.

Processes:

description flow ioc

HTTP URL 6 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

description	flow	ioc
HTTP URL	6	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe"	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe"	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

Drops startup file 1 IoCs

Processes:

84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

C:\Users\Admin\AppData\Local\Temp\84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
"C:\Users\Admin\AppData\Local\Temp\84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Adds Run entry to start application
- System policy modification
- Drops startup file
PID:2024
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
  2⤵
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
  2⤵
  PID:1676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HIT BY RANSOMWARE.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:1768