t1happy | 5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882

Analysis

max time kernel
299s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

T1_b7afca788487347804156f052c613db5.exe
Size

31KB
MD5

b7afca788487347804156f052c613db5
SHA1

dd3d9703c37589482344460d4c624f50dec7d077
SHA256

a41130085e6e7d7ed320599698d79af44da110a58d761e3dfb35e44500e6ac16
SHA512

a37d6ec993a3d0f19daffc3ff174b05707c12339c4475e88468135bca73572ee9b61fb1eae2fbb7285a3dc893b048da108cc54a0f6dec66983360483720eba7f
SSDEEP

768:eg1mvOSFR8d7OJecatzObxw7S0/o61xOxZKMggzCLYc3qFgxd:egcvOSFR8dVcPbxw7iQk2A/Fgx

Score

10^/10

t1happy credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Signatures

T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
trojan ransomware t1happy
T1happy family
t1happy
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (5449) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

T1_b7afca788487347804156f052c613db5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	T1_b7afca788487347804156f052c613db5.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

Processes:

T1_b7afca788487347804156f052c613db5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	T1_b7afca788487347804156f052c613db5.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

2748 takeown.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2748	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

T1_b7afca788487347804156f052c613db5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe"	T1_b7afca788487347804156f052c613db5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe"	T1_b7afca788487347804156f052c613db5.exe

Drops desktop.ini file(s) 16 IoCs

Processes:

T1_b7afca788487347804156f052c613db5.exe

description	ioc	process
File created	C:\Program Files (x86)\desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Users\Admin\Desktop\desktop.ini	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	T1_b7afca788487347804156f052c613db5.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org

flow	ioc
4	api.ipify.org
5	api.ipify.org

Drops file in Program Files directory 64 IoCs

Processes:

T1_b7afca788487347804156f052c613db5.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216570.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200383.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10268_.GIF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Fancy.dotx	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00199_.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\BUZZ.WAV	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.DPV	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\MSO.ACL	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\NamedURLs.HxK	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.ELM	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00411_.WMF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLCALL32.DLL	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClient.resources.dll	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF	T1_b7afca788487347804156f052c613db5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS	T1_b7afca788487347804156f052c613db5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif	T1_b7afca788487347804156f052c613db5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

T1_b7afca788487347804156f052c613db5.execmd.exeWMIC.exetakeown.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T1_b7afca788487347804156f052c613db5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

T1_b7afca788487347804156f052c613db5.exe

pid	process
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe
3056	T1_b7afca788487347804156f052c613db5.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

T1_b7afca788487347804156f052c613db5.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3056	T1_b7afca788487347804156f052c613db5.exe
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeSecurityPrivilege	2544	WMIC.exe
Token: SeTakeOwnershipPrivilege	2544	WMIC.exe
Token: SeLoadDriverPrivilege	2544	WMIC.exe
Token: SeSystemProfilePrivilege	2544	WMIC.exe
Token: SeSystemtimePrivilege	2544	WMIC.exe
Token: SeProfSingleProcessPrivilege	2544	WMIC.exe
Token: SeIncBasePriorityPrivilege	2544	WMIC.exe
Token: SeCreatePagefilePrivilege	2544	WMIC.exe
Token: SeBackupPrivilege	2544	WMIC.exe
Token: SeRestorePrivilege	2544	WMIC.exe
Token: SeShutdownPrivilege	2544	WMIC.exe
Token: SeDebugPrivilege	2544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2544	WMIC.exe
Token: SeRemoteShutdownPrivilege	2544	WMIC.exe
Token: SeUndockPrivilege	2544	WMIC.exe
Token: SeManageVolumePrivilege	2544	WMIC.exe
Token: 33	2544	WMIC.exe
Token: 34	2544	WMIC.exe
Token: 35	2544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2544	WMIC.exe
Token: SeSecurityPrivilege	2544	WMIC.exe
Token: SeTakeOwnershipPrivilege	2544	WMIC.exe
Token: SeLoadDriverPrivilege	2544	WMIC.exe
Token: SeSystemProfilePrivilege	2544	WMIC.exe
Token: SeSystemtimePrivilege	2544	WMIC.exe
Token: SeProfSingleProcessPrivilege	2544	WMIC.exe
Token: SeIncBasePriorityPrivilege	2544	WMIC.exe
Token: SeCreatePagefilePrivilege	2544	WMIC.exe
Token: SeBackupPrivilege	2544	WMIC.exe
Token: SeRestorePrivilege	2544	WMIC.exe
Token: SeShutdownPrivilege	2544	WMIC.exe
Token: SeDebugPrivilege	2544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2544	WMIC.exe
Token: SeRemoteShutdownPrivilege	2544	WMIC.exe
Token: SeUndockPrivilege	2544	WMIC.exe
Token: SeManageVolumePrivilege	2544	WMIC.exe
Token: 33	2544	WMIC.exe
Token: 34	2544	WMIC.exe
Token: 35	2544	WMIC.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

T1_b7afca788487347804156f052c613db5.execmd.exe

description	pid	process	target process
PID 3056 wrote to memory of 2544	3056	T1_b7afca788487347804156f052c613db5.exe	WMIC.exe
PID 3056 wrote to memory of 2544	3056	T1_b7afca788487347804156f052c613db5.exe	WMIC.exe
PID 3056 wrote to memory of 2544	3056	T1_b7afca788487347804156f052c613db5.exe	WMIC.exe
PID 3056 wrote to memory of 2544	3056	T1_b7afca788487347804156f052c613db5.exe	WMIC.exe
PID 3056 wrote to memory of 2796	3056	T1_b7afca788487347804156f052c613db5.exe	cmd.exe
PID 3056 wrote to memory of 2796	3056	T1_b7afca788487347804156f052c613db5.exe	cmd.exe
PID 3056 wrote to memory of 2796	3056	T1_b7afca788487347804156f052c613db5.exe	cmd.exe
PID 3056 wrote to memory of 2796	3056	T1_b7afca788487347804156f052c613db5.exe	cmd.exe
PID 2796 wrote to memory of 2748	2796	cmd.exe	takeown.exe
PID 2796 wrote to memory of 2748	2796	cmd.exe	takeown.exe
PID 2796 wrote to memory of 2748	2796	cmd.exe	takeown.exe
PID 2796 wrote to memory of 2748	2796	cmd.exe	takeown.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

T1_b7afca788487347804156f052c613db5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	T1_b7afca788487347804156f052c613db5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	T1_b7afca788487347804156f052c613db5.exe

C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe
"C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe"
1⤵
- Disables RegEdit via registry modification
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3056
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\"."
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF.happy

Filesize
560B

MD5
dbc5243b65101d62b94f3c71abd492a9

SHA1
65d06ffd0ee3b4318173fa2832051010b75ce12c

SHA256
e38ccf5cb2b2127518378113f2743bacb174ff328efc75f6719f1537c18c8405

SHA512
23a2af9939480ffc3040dff5a79ef224f99b1122b1c8554b55c1d454b12dd0461af69695de45e4029b8b706b8ebea276ca693e5099475e565a6fb65cf0f067da

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14752_.GIF.happy

Filesize
688B

MD5
bac21b523853b4e0d4cb8d25bab07813

SHA1
ec0acc988133f2297877447918ebe268eb84962c

SHA256
3c82891fe84d85311f6d91a3e64d83c5f06e5046ab9fa5d1faed7ed102c8e40f

SHA512
abfd56474cda5699ee9322d6edf014292b71d7d3d6da0a585f1821453313eb3f29fe15c37f1584800d3c866ab568fa90c5fb2dd585ea840025c88817e3196662

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15057_.GIF.happy

Filesize
240B

MD5
84c245b9e2bcaa040651c930a68848ba

SHA1
8a127f877fee17d7f88e9d584db2d8339548bdc8

SHA256
aa4d7d217931d8a6fd9d822c941d559c26820cd5ea247a3754553cdd1a1a43a2

SHA512
62ef5cf49ba6a7eabc32bfaf8d018f8bda8fa126cdb75616007d8cfb3caa827f67f41390524e2d3d1c44cdde0d061d4743b72a7d99e6bf8f6666418ae1770830

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF.happy

Filesize
192B

MD5
762ecbe25b0a0c090f25d54135a2bba9

SHA1
5b8bb7260ee48c3a882c782dbaa6c77c934594d1

SHA256
d9211ee8f1cdadd8fe3a4bd4c588ae33f3a5fe41cab8f012c1306a01647394a3

SHA512
115c516bd4dca3f95bfb0a798b3e433304b710fd0fc8bba6a21115580226c459227f18c30fbd707f55f82b85f3cb9dd3ee20c5ea8385e1dde9616db4d76685d9

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF.happy

Filesize
288B

MD5
7987e50f723c961b923a647331833535

SHA1
def607e5cdffcb3dbeae3323b1677a431595ec70

SHA256
8c309b2d6e139db42bdcf11877952f6c0c3b2fe830831203f3ee1540ab2ae66a

SHA512
e1cfbc3032aa6952548e47597f33823569582fd1c8689fa9cbf86eb7bd62ab791f9e92312fe8f8814ffa038144aa8af37994077e7d5eac1d6d8a78010eac9ee3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF.happy

Filesize
272B

MD5
45bd5bd092121df1cfcb0489bf47f124

SHA1
c65807db9286e2eea58890538ea40cf2e0686c5e

SHA256
dec76487284a836d9ebb829452b2a728e42a547d756af7fc8542207b0c77909e

SHA512
46f5394a91dff835e572d90a793ff6cebe84ea803401a26e206a8444daa774bb2bfa528a79b6eb74a4c88e3a027deef50ef6a97b45000b82c68c7ddb7818f696

Download Submit
memory/3056-0-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000001040000-0x000000000104E000-memory.dmp

Filesize
56KB

Download
memory/3056-2-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-14-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/3056-86-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download