Analysis

  • max time kernel
    4294244s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    24-03-2022 16:03

General

  • Target

    950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e.exe

  • Size

    30KB

  • MD5

    ed0413e7e8a4280fe74f5afb87054b52

  • SHA1

    92f8eca9aaad091ed525d52565932843097cc36e

  • SHA256

    950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e

  • SHA512

    55ccdcb90e556c83afdfcd1fb2106518d35c719ff199f8430377293a297223e14cccdc29add9b3c9b08221f9268f55d56f0ca17ab21cb898a9a1224daea6c8c4

Malware Config

Signatures

  • T1Happy

    T1Happy ransomware is a cryptovirus that behaves different than its counterparts.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Disables RegEdit via registry modification
  • Drops startup file 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 14 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e.exe
    "C:\Users\Admin\AppData\Local\Temp\950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1876
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
      2⤵
        PID:1292
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
        2⤵
          PID:1680

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1876-54-0x0000000000340000-0x000000000034E000-memory.dmp

        Filesize

        56KB

      • memory/1876-55-0x0000000004C55000-0x0000000004C66000-memory.dmp

        Filesize

        68KB