Overview
overview
10Static
static
10ScreenCapt...r1.exe
windows7-x64
1ScreenCapt...r2.exe
windows7-x64
1ScreenCapt...rt.exe
windows7-x64
1ScreenCapt...er.exe
windows7-x64
1ScreenCapt...ck.exe
windows7-x64
1ScreenCapt...k1.exe
windows7-x64
1ScreenCapt...k2.exe
windows7-x64
1Setup (5).exe
windows7-x64
7Setup (6).exe
windows7-x64
7Supplement...16.scr
windows7-x64
3T1.exe
windows7-x64
10T1_b7afca7...b5.exe
windows7-x64
10TeenTube_90767.exe
windows7-x64
10Trojan-Ran....a.exe
windows7-x64
3Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows7-x64
4UNPACKED.exe
windows7-x64
9Uninstall (2).exe
windows7-x64
3Uninstall.exe
windows7-x64
3Upx.exe
windows7-x64
5screenshot2016.exe
windows7-x64
7sidacertification.exe
windows7-x64
3spora.exe
windows7-x64
10svhost.exe
windows7-x64
10sys100s.exe_.exe
windows7-x64
9tordll.dll
windows7-x64
3uacbypass.exe
windows7-x64
3unpack.exe
windows7-x64
10unpacked.ex_.exe
windows7-x64
9unpacked.mem.exe
windows7-x64
10upd.exe
windows7-x64
6verhdiehndi.bat
windows7-x64
8Analysis
-
max time kernel
300s -
max time network
240s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:39
Behavioral task
behavioral1
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win7-20241023-en
Behavioral task
behavioral5
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Setup (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
Setup (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
T1.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
TeenTube_90767.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
UNPACKED.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
Uninstall (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Upx.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
screenshot2016.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
sidacertification.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
spora.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
svhost.exe
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
sys100s.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
tordll.dll
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
uacbypass.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
unpacked.ex_.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
unpacked.mem.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
upd.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
verhdiehndi.bat
Resource
win7-20240903-en
General
-
Target
TeenTube_90767.exe
-
Size
197KB
-
MD5
1105c4df3562b7ac9aaa3bf6037397c9
-
SHA1
5abd5e024b85078b9060e4eb75c9fc9c7549ad55
-
SHA256
efd8f55e43b1ab6379cac9d2f037fe5260ffae11433fb076fad3b639f9f9d4df
-
SHA512
98156f3f1707feaac20bc0250238aa3a4a8d0e531f77281e092c8b454a055bfbe97bc32b01538bbdc4f9b1ba76af6b626279bc8848484c79646aa5ea6bb8ad85
-
SSDEEP
3072:Oz+92mhTMMJ/cPiq5bVioBih1PJ8RsaX/Bv3WxAyZBQ73Uen/+V:Oz+92mhAMJ/cPl3iogavsAMBLen/U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\\\16519.exe\" 89681039647" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\\\16519.exe\" 89681039647" reg.exe -
Executes dropped EXE 2 IoCs
Processes:
s.exeKMPlayer.exepid process 2992 s.exe 2860 KMPlayer.exe -
Loads dropped DLL 7 IoCs
Processes:
TeenTube_90767.exes.exepid process 2116 TeenTube_90767.exe 2116 TeenTube_90767.exe 2116 TeenTube_90767.exe 2992 s.exe 2992 s.exe 2992 s.exe 2992 s.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exereg.exeTeenTube_90767.exes.exeKMPlayer.execmd.exereg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TeenTube_90767.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KMPlayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
KMPlayer.exepid process 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe 2860 KMPlayer.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
TeenTube_90767.exes.exeKMPlayer.execmd.execmd.exedescription pid process target process PID 2116 wrote to memory of 2992 2116 TeenTube_90767.exe s.exe PID 2116 wrote to memory of 2992 2116 TeenTube_90767.exe s.exe PID 2116 wrote to memory of 2992 2116 TeenTube_90767.exe s.exe PID 2116 wrote to memory of 2992 2116 TeenTube_90767.exe s.exe PID 2116 wrote to memory of 2992 2116 TeenTube_90767.exe s.exe PID 2116 wrote to memory of 2992 2116 TeenTube_90767.exe s.exe PID 2116 wrote to memory of 2992 2116 TeenTube_90767.exe s.exe PID 2992 wrote to memory of 2860 2992 s.exe KMPlayer.exe PID 2992 wrote to memory of 2860 2992 s.exe KMPlayer.exe PID 2992 wrote to memory of 2860 2992 s.exe KMPlayer.exe PID 2992 wrote to memory of 2860 2992 s.exe KMPlayer.exe PID 2992 wrote to memory of 2860 2992 s.exe KMPlayer.exe PID 2992 wrote to memory of 2860 2992 s.exe KMPlayer.exe PID 2992 wrote to memory of 2860 2992 s.exe KMPlayer.exe PID 2860 wrote to memory of 2968 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2968 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2968 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2968 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2968 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2968 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2968 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2680 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2680 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2680 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2680 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2680 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2680 2860 KMPlayer.exe cmd.exe PID 2860 wrote to memory of 2680 2860 KMPlayer.exe cmd.exe PID 2968 wrote to memory of 1824 2968 cmd.exe reg.exe PID 2968 wrote to memory of 1824 2968 cmd.exe reg.exe PID 2968 wrote to memory of 1824 2968 cmd.exe reg.exe PID 2968 wrote to memory of 1824 2968 cmd.exe reg.exe PID 2968 wrote to memory of 1824 2968 cmd.exe reg.exe PID 2968 wrote to memory of 1824 2968 cmd.exe reg.exe PID 2968 wrote to memory of 1824 2968 cmd.exe reg.exe PID 2680 wrote to memory of 2832 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2832 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2832 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2832 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2832 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2832 2680 cmd.exe reg.exe PID 2680 wrote to memory of 2832 2680 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe" -pass -s22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f5⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f /reg:644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\16519.exe\" 89681039647" /f /reg:645⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5f052a9fa8b537c241287b4dca3c11a37
SHA1295eb1eeabb085e516ede2c625b5a08e9da62430
SHA256881a394fab156cf1d585be408aa34c979e99a1d74f3a0729c54f982cb845cd82
SHA5126120f0e194b2222e0a444e412b0f4d3543836f13ae0656f1a69ec61970467104e90348f836dbb6394e74b3351d00d87f3101688e011de842d71fb8ed305aee6a
-
Filesize
132KB
MD5a26b0b3948676b82c4796c169bd043eb
SHA12e464f6f61b42871c1bf42d84f30ff58d7eef784
SHA25657d514bdcf2d47f04adf993b682bab6b9dfd150d47f3fef05541106096e6e4e5
SHA512aa71dc61929eb477ac64153a658bad2ddc6c003989587c42abdb8d4219512a1aaa8793f66247b868b2d92722e4bd01895c084b4a219272c0f6745a55a6d0f162