Overview
overview
10Static
static
10ScreenCapt...r1.exe
windows7-x64
1ScreenCapt...r2.exe
windows7-x64
1ScreenCapt...rt.exe
windows7-x64
1ScreenCapt...er.exe
windows7-x64
1ScreenCapt...ck.exe
windows7-x64
1ScreenCapt...k1.exe
windows7-x64
1ScreenCapt...k2.exe
windows7-x64
1Setup (5).exe
windows7-x64
7Setup (6).exe
windows7-x64
7Supplement...16.scr
windows7-x64
3T1.exe
windows7-x64
10T1_b7afca7...b5.exe
windows7-x64
10TeenTube_90767.exe
windows7-x64
10Trojan-Ran....a.exe
windows7-x64
3Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows7-x64
4UNPACKED.exe
windows7-x64
9Uninstall (2).exe
windows7-x64
3Uninstall.exe
windows7-x64
3Upx.exe
windows7-x64
5screenshot2016.exe
windows7-x64
7sidacertification.exe
windows7-x64
3spora.exe
windows7-x64
10svhost.exe
windows7-x64
10sys100s.exe_.exe
windows7-x64
9tordll.dll
windows7-x64
3uacbypass.exe
windows7-x64
3unpack.exe
windows7-x64
10unpacked.ex_.exe
windows7-x64
9unpacked.mem.exe
windows7-x64
10upd.exe
windows7-x64
6verhdiehndi.bat
windows7-x64
8Analysis
-
max time kernel
299s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:39
Behavioral task
behavioral1
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win7-20241023-en
Behavioral task
behavioral5
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Setup (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
Setup (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
T1.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
TeenTube_90767.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
UNPACKED.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
Uninstall (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Upx.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
screenshot2016.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
sidacertification.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
spora.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
svhost.exe
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
sys100s.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
tordll.dll
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
uacbypass.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
unpacked.ex_.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
unpacked.mem.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
upd.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
verhdiehndi.bat
Resource
win7-20240903-en
General
-
Target
T1_b7afca788487347804156f052c613db5.exe
-
Size
31KB
-
MD5
b7afca788487347804156f052c613db5
-
SHA1
dd3d9703c37589482344460d4c624f50dec7d077
-
SHA256
a41130085e6e7d7ed320599698d79af44da110a58d761e3dfb35e44500e6ac16
-
SHA512
a37d6ec993a3d0f19daffc3ff174b05707c12339c4475e88468135bca73572ee9b61fb1eae2fbb7285a3dc893b048da108cc54a0f6dec66983360483720eba7f
-
SSDEEP
768:eg1mvOSFR8d7OJecatzObxw7S0/o61xOxZKMggzCLYc3qFgxd:egcvOSFR8dVcPbxw7iQk2A/Fgx
Malware Config
Signatures
-
T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
-
T1happy family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (5449) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1_b7afca788487347804156f052c613db5.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini T1_b7afca788487347804156f052c613db5.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2748 takeown.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe" T1_b7afca788487347804156f052c613db5.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe" T1_b7afca788487347804156f052c613db5.exe -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File created C:\Program Files (x86)\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\Desktop\desktop.ini T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI T1_b7afca788487347804156f052c613db5.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200383.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Fancy.dotx T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Media Player\WMPDMC.exe T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00199_.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\BUZZ.WAV T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.DPV T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\3082\MSO.ACL T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.ELM T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00411_.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif T1_b7afca788487347804156f052c613db5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language T1_b7afca788487347804156f052c613db5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe 3056 T1_b7afca788487347804156f052c613db5.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 3056 T1_b7afca788487347804156f052c613db5.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe Token: SeIncreaseQuotaPrivilege 2544 WMIC.exe Token: SeSecurityPrivilege 2544 WMIC.exe Token: SeTakeOwnershipPrivilege 2544 WMIC.exe Token: SeLoadDriverPrivilege 2544 WMIC.exe Token: SeSystemProfilePrivilege 2544 WMIC.exe Token: SeSystemtimePrivilege 2544 WMIC.exe Token: SeProfSingleProcessPrivilege 2544 WMIC.exe Token: SeIncBasePriorityPrivilege 2544 WMIC.exe Token: SeCreatePagefilePrivilege 2544 WMIC.exe Token: SeBackupPrivilege 2544 WMIC.exe Token: SeRestorePrivilege 2544 WMIC.exe Token: SeShutdownPrivilege 2544 WMIC.exe Token: SeDebugPrivilege 2544 WMIC.exe Token: SeSystemEnvironmentPrivilege 2544 WMIC.exe Token: SeRemoteShutdownPrivilege 2544 WMIC.exe Token: SeUndockPrivilege 2544 WMIC.exe Token: SeManageVolumePrivilege 2544 WMIC.exe Token: 33 2544 WMIC.exe Token: 34 2544 WMIC.exe Token: 35 2544 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2544 3056 T1_b7afca788487347804156f052c613db5.exe 30 PID 3056 wrote to memory of 2544 3056 T1_b7afca788487347804156f052c613db5.exe 30 PID 3056 wrote to memory of 2544 3056 T1_b7afca788487347804156f052c613db5.exe 30 PID 3056 wrote to memory of 2544 3056 T1_b7afca788487347804156f052c613db5.exe 30 PID 3056 wrote to memory of 2796 3056 T1_b7afca788487347804156f052c613db5.exe 31 PID 3056 wrote to memory of 2796 3056 T1_b7afca788487347804156f052c613db5.exe 31 PID 3056 wrote to memory of 2796 3056 T1_b7afca788487347804156f052c613db5.exe 31 PID 3056 wrote to memory of 2796 3056 T1_b7afca788487347804156f052c613db5.exe 31 PID 2796 wrote to memory of 2748 2796 cmd.exe 34 PID 2796 wrote to memory of 2748 2796 cmd.exe 34 PID 2796 wrote to memory of 2748 2796 cmd.exe 34 PID 2796 wrote to memory of 2748 2796 cmd.exe 34 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1_b7afca788487347804156f052c613db5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" T1_b7afca788487347804156f052c613db5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe"C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe"1⤵
- Disables RegEdit via registry modification
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3056 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\"."3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2748
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1020
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
1File Deletion
1Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
560B
MD5dbc5243b65101d62b94f3c71abd492a9
SHA165d06ffd0ee3b4318173fa2832051010b75ce12c
SHA256e38ccf5cb2b2127518378113f2743bacb174ff328efc75f6719f1537c18c8405
SHA51223a2af9939480ffc3040dff5a79ef224f99b1122b1c8554b55c1d454b12dd0461af69695de45e4029b8b706b8ebea276ca693e5099475e565a6fb65cf0f067da
-
Filesize
688B
MD5bac21b523853b4e0d4cb8d25bab07813
SHA1ec0acc988133f2297877447918ebe268eb84962c
SHA2563c82891fe84d85311f6d91a3e64d83c5f06e5046ab9fa5d1faed7ed102c8e40f
SHA512abfd56474cda5699ee9322d6edf014292b71d7d3d6da0a585f1821453313eb3f29fe15c37f1584800d3c866ab568fa90c5fb2dd585ea840025c88817e3196662
-
Filesize
240B
MD584c245b9e2bcaa040651c930a68848ba
SHA18a127f877fee17d7f88e9d584db2d8339548bdc8
SHA256aa4d7d217931d8a6fd9d822c941d559c26820cd5ea247a3754553cdd1a1a43a2
SHA51262ef5cf49ba6a7eabc32bfaf8d018f8bda8fa126cdb75616007d8cfb3caa827f67f41390524e2d3d1c44cdde0d061d4743b72a7d99e6bf8f6666418ae1770830
-
Filesize
192B
MD5762ecbe25b0a0c090f25d54135a2bba9
SHA15b8bb7260ee48c3a882c782dbaa6c77c934594d1
SHA256d9211ee8f1cdadd8fe3a4bd4c588ae33f3a5fe41cab8f012c1306a01647394a3
SHA512115c516bd4dca3f95bfb0a798b3e433304b710fd0fc8bba6a21115580226c459227f18c30fbd707f55f82b85f3cb9dd3ee20c5ea8385e1dde9616db4d76685d9
-
Filesize
288B
MD57987e50f723c961b923a647331833535
SHA1def607e5cdffcb3dbeae3323b1677a431595ec70
SHA2568c309b2d6e139db42bdcf11877952f6c0c3b2fe830831203f3ee1540ab2ae66a
SHA512e1cfbc3032aa6952548e47597f33823569582fd1c8689fa9cbf86eb7bd62ab791f9e92312fe8f8814ffa038144aa8af37994077e7d5eac1d6d8a78010eac9ee3
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF.happy
Filesize272B
MD545bd5bd092121df1cfcb0489bf47f124
SHA1c65807db9286e2eea58890538ea40cf2e0686c5e
SHA256dec76487284a836d9ebb829452b2a728e42a547d756af7fc8542207b0c77909e
SHA51246f5394a91dff835e572d90a793ff6cebe84ea803401a26e206a8444daa774bb2bfa528a79b6eb74a4c88e3a027deef50ef6a97b45000b82c68c7ddb7818f696