Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v200410
  • submitted
    20-04-2020 13:11

General

  • Target

    84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe

  • Size

    34KB

  • MD5

    fcf5c8e8a180c66e15ea22128dd0adfb

  • SHA1

    d4f0c114ffe12e343739fb837d24dc31dfab985c

  • SHA256

    84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b

  • SHA512

    f06645c73bfc87061c4561b8cacb6c782493e5d39cd29971d71b0c38578296b81f9c2b54ca0415e15e5fd49755b7fa612f244b9e68fe8f21fc9db60c5f89b2e9

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Adds Run entry to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1528 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Drops file in Program Files directory 4511 IoCs
  • T1Happy

    T1Happy ransomware is a cryptovirus that behaves different than its counterparts.

  • Drops startup file 1 IoCs
  • Drops desktop.ini file(s) 17 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Makes http(s) request 1 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

Processes

  • C:\Users\Admin\AppData\Local\Temp\84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe
    "C:\Users\Admin\AppData\Local\Temp\84c88686a52f325a239aec45635ec9adc85bfabcb9888658eecbca1bd9757a7b.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    • Adds Run entry to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops file in Program Files directory
    • Drops startup file
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    PID:3940
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
      2⤵
        PID:3900
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
        2⤵
          PID:2552

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads