Overview

overview

10

Static

static

10

ScreenCapt...r1.exe

windows7-x64

1

ScreenCapt...r2.exe

windows7-x64

1

ScreenCapt...rt.exe

windows7-x64

1

ScreenCapt...er.exe

windows7-x64

1

ScreenCapt...ck.exe

windows7-x64

1

ScreenCapt...k1.exe

windows7-x64

1

ScreenCapt...k2.exe

windows7-x64

1

Setup (5).exe

windows7-x64

7

Setup (6).exe

windows7-x64

7

Supplement...16.scr

windows7-x64

3

T1.exe

windows7-x64

10

T1_b7afca7...b5.exe

windows7-x64

10

TeenTube_90767.exe

windows7-x64

10

Trojan-Ran....a.exe

windows7-x64

3

Tuyen bo c...ed.doc

windows7-x64

4

Tuyen bo c...ed.doc

windows7-x64

4

UNPACKED.exe

windows7-x64

9

Uninstall (2).exe

windows7-x64

3

Uninstall.exe

windows7-x64

3

Upx.exe

windows7-x64

5

screenshot2016.exe

windows7-x64

7

sidacertification.exe

windows7-x64

3

spora.exe

windows7-x64

10

svhost.exe

windows7-x64

10

sys100s.exe_.exe

windows7-x64

9

tordll.dll

windows7-x64

3

uacbypass.exe

windows7-x64

3

unpack.exe

windows7-x64

10

unpacked.ex_.exe

windows7-x64

9

unpacked.mem.exe

windows7-x64

10

upd.exe

windows7-x64

6

verhdiehndi.bat

windows7-x64

8

Analysis

  • max time kernel
    299s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    T1.exe

  • Size

    31KB

  • MD5

    29cdb46d2e01f2efb9644c7695a007bb

  • SHA1

    c276166bddcbcc093cf0b7164c4233745eda6cf5

  • SHA256

    3ed94c1b319454f6122a05ef124e5bc8eefc60a3d81987fb712c7af78726e6b3

  • SHA512

    fcce8e8a5c0689cf79dc4ca46ff0bbad6f4c5b8c74dbbb186e1e9df3988fa75526c00dfb6b8181ede6f0e5f1496b96caf23cc59de8c774a70812b1b0b5a590a8

  • SSDEEP

    768:sg1mvOSFUyD+W4e4++sqzYbxw7S0/oc1xO2ISMggtCLYc3qFgxd:sgcvOSFfEe4+tbxw7iCkwe/Fgx

Score
10/10
t1happycredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan

Malware Config

Signatures

  • T1Happy

    T1Happy ransomware is a cryptovirus that behaves different than its counterparts.

    trojanransomwaret1happy
  • T1happy family
    t1happy
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (5457) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 16 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\T1.exe
    "C:\Users\Admin\AppData\Local\Temp\T1.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2112
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\"."
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2872
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2944
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HIT BY RANSOMWARE.txt
    1⤵
      PID:1156

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    File and Directory Permissions Modification

    1
    T1222

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    3
    T1112

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    3
    T1552

    Credentials In Files

    3
    T1552.001

    Discovery

    Browser Information Discovery

    1
    T1217

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\PREVIEW.GIF.happy
      Filesize

      3KB

      MD5

      1d31df3829f4c22e15d48faa61679175

      SHA1

      a2f40741e4b38319c0993b6842a315d548ea8e53

      SHA256

      c784a7c3216a8af2ffd71a4b8ed7e50c02f2fdfd76f6584e9fe2f8d8be92bd24

      SHA512

      32ac9fad436c872825cb07baa13c1dda3d638ca6ff128de18f3ce22e99d6603ab690d3d2bb63a33294d76c45a13af81cf48766128c7586332cd3dfaf52c4945d

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF.happy
      Filesize

      816B

      MD5

      24064cc0a264eabc08db1141c9fd5c3f

      SHA1

      6d1997210190df3bcb16d264f6276d0f7eadc4ef

      SHA256

      20dd983374512b42431442e956a8e7b558c15a2559dc46fa477f3b0dee4ef37d

      SHA512

      42db5e568e27b31d64a98478313fd3fc275d409bddeb22da6c4a52366c5e987b0b29a67315d3e4633c58e251b2f5b1cc513c318183fd69f840c692afc5ccaa98

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14828_.GIF.happy
      Filesize

      224B

      MD5

      392e471e1334f2e42ed0e311f769cdd8

      SHA1

      4cccd75b55a817606cc79138b01d351f82e34780

      SHA256

      d93bb0ba05f1986ecfe6037db60c7d9e3d0655f9c0e31b877db4c3056dd062f7

      SHA512

      8e315b82dc14a298cb73e287e0b346e480de3f6e277a8fd9b953dc6456416ccfe7ea13323fad27360d27621ead2f669dd053d54907bb50b3d5a8c68dc11dc7bd

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF.happy
      Filesize

      96B

      MD5

      b8e7100f81d47b3368d1dcd3a703f9a1

      SHA1

      c244f6dce97b9d619cf61d473da31abf604a87cb

      SHA256

      6a59cab4bcf3aa37263c176207fb2809ab98bbe1c33c9123f9a18209d6e8979e

      SHA512

      8cd7db7af1a8ca6aab263770aca9843aca45b9d19b4d4b49cac8594eba3e178e00b013b8bf912d64fe8b908e7c9bd2bcf90078c44e7247e45d0ebcff70b79b0f

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF.happy
      Filesize

      192B

      MD5

      e26eab69fd7c3b7953c34ad85197ebac

      SHA1

      a60bd5acde6b26a26520bf8950700f8dcd7b74e6

      SHA256

      f5028b6c61015cc1639fed785e3c6432080dfb6a9be9a2c0be3edca304702e19

      SHA512

      88252580a546f96df185b300565ebcb7c63d2ed7c5c48197a2f8e82bbc00507449a5eb0cefc545c73dc15540a80e957eb8c9155324e5bd21cdf27055d484777e

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML.happy
      Filesize

      832B

      MD5

      f642ee90f1e5015e7ef8f9b32210b9c6

      SHA1

      2b965629f2a559338e9affcd304db5c26d22359b

      SHA256

      997403e2c520ce18d0c58797972506776f94f6c3d282739b2b885f35471839fa

      SHA512

      52bc40ecb1fb7d23be7bb710bac8738740056d60b30ab3cb5f35c333b8cb0bad4b1a67100913d5a17019404d95a0cb2240ca825be939590031300e802ab6bf9e

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.PL.XML.happy
      Filesize

      816B

      MD5

      ff375d9347491474f2c500f036751f2a

      SHA1

      6491d3091e6ec928cb43c4053443ef4ff9403528

      SHA256

      d4398c68525a3fae713194500851137670d3763f8cd61d027e274becdc058e17

      SHA512

      f3773d8d7f314f1e381e5a9b3504049ad4e9cc2248ea700d509aaf8d8efd2e8b19ce72e2185042c5ff072eceb170dd9c09bf2301e1691003db0a8736c5bafb68

      Download Submit

    • C:\Users\Admin\Desktop\HIT BY RANSOMWARE.txt
      Filesize

      587B

      MD5

      67d1f04285eaabb5ef21969a6295b71f

      SHA1

      c253031dfa0c6aaf1a72fe31f50ae2937f384461

      SHA256

      6b94bc6ca76970e518a1341cce2c2842c965566b16389f4419d592bece446610

      SHA512

      2daf82cbc21d2837a35dab4ad48b95cea8a65719503750e93fd671bea100ab2aa9236e907e3a6615f890f020a91b019b8b2296565cc194d67c12f0f60ac95038

      Download Submit

    • memory/2112-125-0x0000000074630000-0x0000000074D1E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2112-20-0x000000007463E000-0x000000007463F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2112-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2112-1-0x0000000000F30000-0x0000000000F3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2112-0-0x000000007463E000-0x000000007463F000-memory.dmp

      Filesize

      4KB

      Download