Overview
overview
10Static
static
10ScreenCapt...r1.exe
windows7-x64
1ScreenCapt...r2.exe
windows7-x64
1ScreenCapt...rt.exe
windows7-x64
1ScreenCapt...er.exe
windows7-x64
1ScreenCapt...ck.exe
windows7-x64
1ScreenCapt...k1.exe
windows7-x64
1ScreenCapt...k2.exe
windows7-x64
1Setup (5).exe
windows7-x64
7Setup (6).exe
windows7-x64
7Supplement...16.scr
windows7-x64
3T1.exe
windows7-x64
10T1_b7afca7...b5.exe
windows7-x64
10TeenTube_90767.exe
windows7-x64
10Trojan-Ran....a.exe
windows7-x64
3Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows7-x64
4UNPACKED.exe
windows7-x64
9Uninstall (2).exe
windows7-x64
3Uninstall.exe
windows7-x64
3Upx.exe
windows7-x64
5screenshot2016.exe
windows7-x64
7sidacertification.exe
windows7-x64
3spora.exe
windows7-x64
10svhost.exe
windows7-x64
10sys100s.exe_.exe
windows7-x64
9tordll.dll
windows7-x64
3uacbypass.exe
windows7-x64
3unpack.exe
windows7-x64
10unpacked.ex_.exe
windows7-x64
9unpacked.mem.exe
windows7-x64
10upd.exe
windows7-x64
6verhdiehndi.bat
windows7-x64
8Analysis
-
max time kernel
299s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:39
Behavioral task
behavioral1
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win7-20241023-en
Behavioral task
behavioral5
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Setup (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
Setup (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
T1.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
TeenTube_90767.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
UNPACKED.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
Uninstall (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Upx.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
screenshot2016.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
sidacertification.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
spora.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
svhost.exe
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
sys100s.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
tordll.dll
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
uacbypass.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
unpacked.ex_.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
unpacked.mem.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
upd.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
verhdiehndi.bat
Resource
win7-20240903-en
General
-
Target
T1.exe
-
Size
31KB
-
MD5
29cdb46d2e01f2efb9644c7695a007bb
-
SHA1
c276166bddcbcc093cf0b7164c4233745eda6cf5
-
SHA256
3ed94c1b319454f6122a05ef124e5bc8eefc60a3d81987fb712c7af78726e6b3
-
SHA512
fcce8e8a5c0689cf79dc4ca46ff0bbad6f4c5b8c74dbbb186e1e9df3988fa75526c00dfb6b8181ede6f0e5f1496b96caf23cc59de8c774a70812b1b0b5a590a8
-
SSDEEP
768:sg1mvOSFUyD+W4e4++sqzYbxw7S0/oc1xO2ISMggtCLYc3qFgxd:sgcvOSFfEe4+tbxw7iCkwe/Fgx
Malware Config
Signatures
-
T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
-
T1happy family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (5457) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini T1.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2872 takeown.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe" T1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe" T1.exe -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini T1.exe File created C:\Program Files (x86)\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini T1.exe File created C:\Users\Admin\Desktop\desktop.ini T1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini T1.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\screen.jpg" T1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00373_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSLaunch.dll T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPEDITOR.DLL T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21332_.GIF T1.exe File opened for modification C:\Program Files (x86)\Common Files\System\MSMAPI\1033\MSMAPI32.DLL T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232395.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\HAMMER.WAV T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00921_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02166_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML T1.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\UrbanFax.Dotx T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188667.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216540.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PAPER_01.MID T1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin T1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PICTIM32.FLT T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR38F.GIF T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.XML T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\PersonalMonthlyBudget.xltx T1.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll T1.exe File created C:\Program Files (x86)\Windows Media Player\WMPMediaSharing.dll T1.exe File created C:\Program Files (x86)\Common Files\System\msadc\msadcor.dll T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Technic.eftx T1.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18216_.WMF T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID T1.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html T1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\micaut.dll.mui T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML T1.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt T1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig T1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTL.ICO T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09194_.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00938_.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299587.WMF T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png T1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF T1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language T1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe 2112 T1.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2112 T1.exe Token: SeIncreaseQuotaPrivilege 1960 WMIC.exe Token: SeSecurityPrivilege 1960 WMIC.exe Token: SeTakeOwnershipPrivilege 1960 WMIC.exe Token: SeLoadDriverPrivilege 1960 WMIC.exe Token: SeSystemProfilePrivilege 1960 WMIC.exe Token: SeSystemtimePrivilege 1960 WMIC.exe Token: SeProfSingleProcessPrivilege 1960 WMIC.exe Token: SeIncBasePriorityPrivilege 1960 WMIC.exe Token: SeCreatePagefilePrivilege 1960 WMIC.exe Token: SeBackupPrivilege 1960 WMIC.exe Token: SeRestorePrivilege 1960 WMIC.exe Token: SeShutdownPrivilege 1960 WMIC.exe Token: SeDebugPrivilege 1960 WMIC.exe Token: SeSystemEnvironmentPrivilege 1960 WMIC.exe Token: SeRemoteShutdownPrivilege 1960 WMIC.exe Token: SeUndockPrivilege 1960 WMIC.exe Token: SeManageVolumePrivilege 1960 WMIC.exe Token: 33 1960 WMIC.exe Token: 34 1960 WMIC.exe Token: 35 1960 WMIC.exe Token: SeIncreaseQuotaPrivilege 1960 WMIC.exe Token: SeSecurityPrivilege 1960 WMIC.exe Token: SeTakeOwnershipPrivilege 1960 WMIC.exe Token: SeLoadDriverPrivilege 1960 WMIC.exe Token: SeSystemProfilePrivilege 1960 WMIC.exe Token: SeSystemtimePrivilege 1960 WMIC.exe Token: SeProfSingleProcessPrivilege 1960 WMIC.exe Token: SeIncBasePriorityPrivilege 1960 WMIC.exe Token: SeCreatePagefilePrivilege 1960 WMIC.exe Token: SeBackupPrivilege 1960 WMIC.exe Token: SeRestorePrivilege 1960 WMIC.exe Token: SeShutdownPrivilege 1960 WMIC.exe Token: SeDebugPrivilege 1960 WMIC.exe Token: SeSystemEnvironmentPrivilege 1960 WMIC.exe Token: SeRemoteShutdownPrivilege 1960 WMIC.exe Token: SeUndockPrivilege 1960 WMIC.exe Token: SeManageVolumePrivilege 1960 WMIC.exe Token: 33 1960 WMIC.exe Token: 34 1960 WMIC.exe Token: 35 1960 WMIC.exe Token: SeBackupPrivilege 2944 vssvc.exe Token: SeRestorePrivilege 2944 vssvc.exe Token: SeAuditPrivilege 2944 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1960 2112 T1.exe 31 PID 2112 wrote to memory of 1960 2112 T1.exe 31 PID 2112 wrote to memory of 1960 2112 T1.exe 31 PID 2112 wrote to memory of 1960 2112 T1.exe 31 PID 2112 wrote to memory of 2268 2112 T1.exe 32 PID 2112 wrote to memory of 2268 2112 T1.exe 32 PID 2112 wrote to memory of 2268 2112 T1.exe 32 PID 2112 wrote to memory of 2268 2112 T1.exe 32 PID 2268 wrote to memory of 2872 2268 cmd.exe 35 PID 2268 wrote to memory of 2872 2268 cmd.exe 35 PID 2268 wrote to memory of 2872 2268 cmd.exe 35 PID 2268 wrote to memory of 2872 2268 cmd.exe 35 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" T1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\T1.exe"C:\Users\Admin\AppData\Local\Temp\T1.exe"1⤵
- Disables RegEdit via registry modification
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\"."3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HIT BY RANSOMWARE.txt1⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
1File Deletion
1Modify Registry
3Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51d31df3829f4c22e15d48faa61679175
SHA1a2f40741e4b38319c0993b6842a315d548ea8e53
SHA256c784a7c3216a8af2ffd71a4b8ed7e50c02f2fdfd76f6584e9fe2f8d8be92bd24
SHA51232ac9fad436c872825cb07baa13c1dda3d638ca6ff128de18f3ce22e99d6603ab690d3d2bb63a33294d76c45a13af81cf48766128c7586332cd3dfaf52c4945d
-
Filesize
816B
MD524064cc0a264eabc08db1141c9fd5c3f
SHA16d1997210190df3bcb16d264f6276d0f7eadc4ef
SHA25620dd983374512b42431442e956a8e7b558c15a2559dc46fa477f3b0dee4ef37d
SHA51242db5e568e27b31d64a98478313fd3fc275d409bddeb22da6c4a52366c5e987b0b29a67315d3e4633c58e251b2f5b1cc513c318183fd69f840c692afc5ccaa98
-
Filesize
224B
MD5392e471e1334f2e42ed0e311f769cdd8
SHA14cccd75b55a817606cc79138b01d351f82e34780
SHA256d93bb0ba05f1986ecfe6037db60c7d9e3d0655f9c0e31b877db4c3056dd062f7
SHA5128e315b82dc14a298cb73e287e0b346e480de3f6e277a8fd9b953dc6456416ccfe7ea13323fad27360d27621ead2f669dd053d54907bb50b3d5a8c68dc11dc7bd
-
Filesize
96B
MD5b8e7100f81d47b3368d1dcd3a703f9a1
SHA1c244f6dce97b9d619cf61d473da31abf604a87cb
SHA2566a59cab4bcf3aa37263c176207fb2809ab98bbe1c33c9123f9a18209d6e8979e
SHA5128cd7db7af1a8ca6aab263770aca9843aca45b9d19b4d4b49cac8594eba3e178e00b013b8bf912d64fe8b908e7c9bd2bcf90078c44e7247e45d0ebcff70b79b0f
-
Filesize
192B
MD5e26eab69fd7c3b7953c34ad85197ebac
SHA1a60bd5acde6b26a26520bf8950700f8dcd7b74e6
SHA256f5028b6c61015cc1639fed785e3c6432080dfb6a9be9a2c0be3edca304702e19
SHA51288252580a546f96df185b300565ebcb7c63d2ed7c5c48197a2f8e82bbc00507449a5eb0cefc545c73dc15540a80e957eb8c9155324e5bd21cdf27055d484777e
-
Filesize
832B
MD5f642ee90f1e5015e7ef8f9b32210b9c6
SHA12b965629f2a559338e9affcd304db5c26d22359b
SHA256997403e2c520ce18d0c58797972506776f94f6c3d282739b2b885f35471839fa
SHA51252bc40ecb1fb7d23be7bb710bac8738740056d60b30ab3cb5f35c333b8cb0bad4b1a67100913d5a17019404d95a0cb2240ca825be939590031300e802ab6bf9e
-
Filesize
816B
MD5ff375d9347491474f2c500f036751f2a
SHA16491d3091e6ec928cb43c4053443ef4ff9403528
SHA256d4398c68525a3fae713194500851137670d3763f8cd61d027e274becdc058e17
SHA512f3773d8d7f314f1e381e5a9b3504049ad4e9cc2248ea700d509aaf8d8efd2e8b19ce72e2185042c5ff072eceb170dd9c09bf2301e1691003db0a8736c5bafb68
-
Filesize
587B
MD567d1f04285eaabb5ef21969a6295b71f
SHA1c253031dfa0c6aaf1a72fe31f50ae2937f384461
SHA2566b94bc6ca76970e518a1341cce2c2842c965566b16389f4419d592bece446610
SHA5122daf82cbc21d2837a35dab4ad48b95cea8a65719503750e93fd671bea100ab2aa9236e907e3a6615f890f020a91b019b8b2296565cc194d67c12f0f60ac95038