Analysis

  • max time kernel
    171s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    24-03-2022 16:03

General

  • Target

    950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e.exe

  • Size

    30KB

  • MD5

    ed0413e7e8a4280fe74f5afb87054b52

  • SHA1

    92f8eca9aaad091ed525d52565932843097cc36e

  • SHA256

    950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e

  • SHA512

    55ccdcb90e556c83afdfcd1fb2106518d35c719ff199f8430377293a297223e14cccdc29add9b3c9b08221f9268f55d56f0ca17ab21cb898a9a1224daea6c8c4

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.gmx.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    cuF.7P\Bv#C>`pu)

Signatures

  • T1Happy

    T1Happy ransomware is a cryptovirus that behaves different than its counterparts.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Disables RegEdit via registry modification
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 15 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e.exe
    "C:\Users\Admin\AppData\Local\Temp\950be5b5501ee84b1641c3a9a780242a57cdd412892c781eac8781498bf11f3e.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3772
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
      2⤵
        PID:1544
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
        2⤵
          PID:4108

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3772-130-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

        Filesize

        56KB

      • memory/3772-131-0x00000000054E0000-0x000000000557C000-memory.dmp

        Filesize

        624KB

      • memory/3772-132-0x0000000005B30000-0x00000000060D4000-memory.dmp

        Filesize

        5.6MB

      • memory/3772-133-0x0000000005580000-0x0000000005612000-memory.dmp

        Filesize

        584KB

      • memory/3772-134-0x0000000005470000-0x000000000547A000-memory.dmp

        Filesize

        40KB

      • memory/3772-135-0x0000000005680000-0x00000000056D6000-memory.dmp

        Filesize

        344KB

      • memory/3772-136-0x000000000A530000-0x000000000A596000-memory.dmp

        Filesize

        408KB

      • memory/3772-139-0x0000000005580000-0x0000000005B24000-memory.dmp

        Filesize

        5.6MB