Overview
overview
10Static
static
10ScreenCapt...r1.exe
windows7-x64
1ScreenCapt...r2.exe
windows7-x64
1ScreenCapt...rt.exe
windows7-x64
1ScreenCapt...er.exe
windows7-x64
1ScreenCapt...ck.exe
windows7-x64
1ScreenCapt...k1.exe
windows7-x64
1ScreenCapt...k2.exe
windows7-x64
1Setup (5).exe
windows7-x64
7Setup (6).exe
windows7-x64
7Supplement...16.scr
windows7-x64
3T1.exe
windows7-x64
10T1_b7afca7...b5.exe
windows7-x64
10TeenTube_90767.exe
windows7-x64
10Trojan-Ran....a.exe
windows7-x64
3Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows7-x64
4UNPACKED.exe
windows7-x64
9Uninstall (2).exe
windows7-x64
3Uninstall.exe
windows7-x64
3Upx.exe
windows7-x64
5screenshot2016.exe
windows7-x64
7sidacertification.exe
windows7-x64
3spora.exe
windows7-x64
10svhost.exe
windows7-x64
10sys100s.exe_.exe
windows7-x64
9tordll.dll
windows7-x64
3uacbypass.exe
windows7-x64
3unpack.exe
windows7-x64
10unpacked.ex_.exe
windows7-x64
9unpacked.mem.exe
windows7-x64
10upd.exe
windows7-x64
6verhdiehndi.bat
windows7-x64
8Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:39
Behavioral task
behavioral1
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win7-20241023-en
Behavioral task
behavioral5
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Setup (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
Setup (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
T1.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
TeenTube_90767.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
UNPACKED.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
Uninstall (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Upx.exe
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
screenshot2016.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
sidacertification.exe
Resource
win7-20240903-en
Behavioral task
behavioral23
Sample
spora.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
svhost.exe
Resource
win7-20240708-en
Behavioral task
behavioral25
Sample
sys100s.exe_.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
tordll.dll
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
uacbypass.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
unpack.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
unpacked.ex_.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
unpacked.mem.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
upd.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
verhdiehndi.bat
Resource
win7-20240903-en
General
-
Target
screenshot2016.exe
-
Size
4.6MB
-
MD5
b8c469c681323bad2efac3b30897e18f
-
SHA1
56bae6961b1fc0e3415b57483c1c21b8eaebd4b8
-
SHA256
121dd64aa3a17da1a9d27ae4ac84538a3b8ec23abec2f5f6e69a06f7826c4df5
-
SHA512
7184f92a537ea0737933190291bf49f64ecdba62739f2ea3546bb90f4868b08b48711eadbfd4c3d4166785abf1d759808d399c73cdf0cc2929a422ed6ff32f15
-
SSDEEP
49152:kvLL7UyvZBZF6DFrpnC6DFrpn67n7Z/1cvLL7UyVZbvLL7UygvLL7UyHvLL7Uy1l:krUy3KNpnCKNpnjrUybrUygrUyHrUy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2088 CaptureItPlus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2088 CaptureItPlus.exe 2088 CaptureItPlus.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2868 screenshot2016.exe Token: SeDebugPrivilege 2088 CaptureItPlus.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2088 CaptureItPlus.exe 2088 CaptureItPlus.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2088 CaptureItPlus.exe 2088 CaptureItPlus.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2088 2868 screenshot2016.exe 28 PID 2868 wrote to memory of 2088 2868 screenshot2016.exe 28 PID 2868 wrote to memory of 2088 2868 screenshot2016.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe"C:\Users\Admin\AppData\Local\Temp\screenshot2016.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe"C:\Users\Admin\AppData\Local\Temp\CaptureItPlus.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
410KB
MD5e8cc55a833bfd86a6d3c4ad8391050cb
SHA1dee0d797b0ccf1cd6c47b6c9fa9f157ccf3e4c62
SHA25624b6c0f724c496aefab3e6a58b194213dc4ca4016e50ce8428b4fe15c6b6b240
SHA5129c0639a3efaefd2a0c3dbc2ead4f1314290ac4506997f8026a62be0f641c79509201198bab7bd0496f19875b8571c6fd519520e0b0b4d673ef0121156178fca3