t1happy | 950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e | Triage

Submit
Reports

Overview

overview

Static

static

950be5b550...3e.exe

windows7_x64

950be5b550...3e.exe

windows10-2004_x64

Sharing

General

Target

950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e
Size

30KB
Sample

220324-thvqqsbcc2
MD5

ed0413e7e8a4280fe74f5afb87054b52
SHA1

92f8eca9aaad091ed525d52565932843097cc36e
SHA256

950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e
SHA512

55ccdcb90e556c83afdfcd1fb2106518d35c719ff199f8430377293a297223e14cccdc29add9b3c9b08221f9268f55d56f0ca17ab21cb898a9a1224daea6c8c4

Score

10^/10

t1happy evasion persistence ransomware spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e.exe

Resource

win7-20220311-en

t1happy evasion persistence ransomware spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e.exe

Resource

win10v2004-en-20220113

t1happy evasion persistence ransomware spyware stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.gmx.net
Port:
587
Username:
[email protected]
Password:
cuF.7P\Bv#C>`pu)

Targets

- Target
  
  950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e
- Size
  
  30KB
- MD5
  
  ed0413e7e8a4280fe74f5afb87054b52
- SHA1
  
  92f8eca9aaad091ed525d52565932843097cc36e
- SHA256
  
  950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e
- SHA512
  
  55ccdcb90e556c83afdfcd1fb2106518d35c719ff199f8430377293a297223e14cccdc29add9b3c9b08221f9268f55d56f0ca17ab21cb898a9a1224daea6c8c4
Score

10^/10

t1happy evasion persistence ransomware spyware stealer trojan
- T1Happy
  T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
  trojan ransomware t1happy
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

t1happyevasionpersistenceransomwarespywarestealertrojan

behavioral2

t1happyevasionpersistenceransomwarespywarestealertrojan

© 2018-2024

Terms | Privacy