t1happy

Sharing

General

Target

Batch_10.zip
Size

11.3MB
Sample

241122-ebsv8stpbv
MD5

b48fdef3291bb0abc112131cf87a8e15
SHA1

3a4cd49e66c6e38ca69fd6f6a6f494518ab76136
SHA256

5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882
SHA512

3e8bda530a228eea7c36c7dd66b22f28d72a819408f2f8c1bd68fc9e73665293d4c09b562f09a4e6c79e77ac43539389dddb1e71a8e8b996a187c83821281dda
SSDEEP

196608:wtlLvswtv/acQbMgxSrvVK23tcrz00PonBnI9qJBd/fFD5:Ulzf3anbMgxMvVKOtEz0hnyiF9

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.gmx.net
Port:
587
Username:
[email protected]
Password:
cuF.7P\Bv#C>`pu)

Targets

- Target
  
  ScreenCapture_Win8.MalwareScanner1.exe
- Size
  
  137KB
- MD5
  
  e6b389c43c8f108c8e40fcd35903ec19
- SHA1
  
  54fd03fcc29a71996da1705d28d646606ca749c9
- SHA256
  
  2c2188db9cbb3079d6cc09dab391e750dd1f2ad333838efb1941c0858e7bf896
- SHA512
  
  d41ed4ae710c2ed355674f549c4d592a010bb5021b8c8b03fdb78256a596d9b4716ed61f556fb5965b605c19905ec24395b795ead6eeed5da6f3b6e0422d332e
- SSDEEP
  
  3072:HkScxQ+r7+OXo5WYD99HMig0e03PTrPgsEDte56AhR5:HkScxt2O4Ycg3MPTrPdSeRhR
Score

1^/10
behavioral1 behavioral2
- Target
  
  ScreenCapture_Win8.MalwareScanner2.exe
- Size
  
  137KB
- MD5
  
  f5dabcae00cd2fac2cee31a3a22210d7
- SHA1
  
  707ac7035e00884bc6e1e0197df6a8821d4dd169
- SHA256
  
  33e3b35775308dbac17df9b4b8813e12f0d0ce1842fcf348c64aef13b01144d6
- SHA512
  
  060e0e6ca10cbdd548c97c16dcdcbbb8bed2c5dbc8c7be740857ca5a2ae54959c6936cf8316fc943dba559ab490f045277a84cef8c2217a3138dc4db19caaab3
- SSDEEP
  
  3072:UkScxQ+r7+OXo5WYD99HMig0e03PTrPgsEDte56AhsB:UkScxt2O4Ycg3MPTrPdSeRhs
Score

1^/10
behavioral3 behavioral4
- Target
  
  ScreenCapture_Win8.PopupAlert.exe
- Size
  
  445KB
- MD5
  
  2f62803bf924b80095e6ca08f4fe2620
- SHA1
  
  1022f09bb5802fd744b2e94aac54b31033c9cc81
- SHA256
  
  0152264bb7c476c2b5ece910cf63d2401e079ed64a259cd04b7bc2456fe5d28b
- SHA512
  
  aad767be7cb1a03217c8afb020f96eff0c4b2144d33e031799c850bf25418df571aef3ae5e89aacfc4c20d7f9a85b492296b6b4f26dfe376712a931f5e0e4d30
- SSDEEP
  
  12288:0NUhryI+L3cwFrAC3nTNUhryI+L3cwFrAC3n:0WuI+LDFrAmnTWuI+LDFrAmn
Score

1^/10
behavioral5 behavioral6
- Target
  
  ScreenCapture_Win8.TaskServer.exe
- Size
  
  1.1MB
- MD5
  
  35f2486d9fddb5ee6023cf0ade83a7d2
- SHA1
  
  b6e97e8516cad2bdb75599a7b01fc7a17331e874
- SHA256
  
  bf15e8c89f3be24a8d394b0a0972892b8d224e9d1f6510f3a6e1463b268186af
- SHA512
  
  52c9def952737595eaf23f1daa79bd1116241d9148be645da2685034317168f6820dea64552ba9c0a21cdab4090081d41e56bf610d2063d91835be050d353058
- SSDEEP
  
  24576:Hpf1Z7qyk019VM1nvs45vvjsYUy258pf1Z:jZ/1cvLL7UyVZ
Score

1^/10
behavioral7 behavioral8
- Target
  
  ScreenCapture_Win8.WindowsLock.exe
- Size
  
  413KB
- MD5
  
  a35db7336ebf2a57763d31205286da1c
- SHA1
  
  c61fe448964afcd1fb6b657d04d911cce2d08511
- SHA256
  
  eb55317191979c185bf1ba2e40a9468c433e7d1538f928f85c9672589b6ba037
- SHA512
  
  12da2b8efd13b94b9a9f6bc943efb2847323dc3c8df4f6adb4d426679da11408ba124b8e540b2d1c70c87c51a92eb16c7aa95b741e47a3972792668b069427d2
- SSDEEP
  
  12288:jV+t1nfILUvE45vvck5+TCxVCny2u8Am:jVM1nvs45vvjsYUy25
Score

1^/10
behavioral10 behavioral9
- Target
  
  ScreenCapture_Win8.WindowsLock1.exe
- Size
  
  413KB
- MD5
  
  318415ffeaa1e006c47ee8d9ac7d0854
- SHA1
  
  951ee1a9d651fc2e10ba7e774ed716f477427bb9
- SHA256
  
  57a77c5c3e50974585782956cd37615e6218a1a4dec8bbe5515aca0508f59ac4
- SHA512
  
  e7571ed7f5a857c80126394527a745fa7c98bbfe20ae68d4c3fd13614de95b80f172db2825acf24144cafc5d16f7d38f9948743dbc60189b7232eb3dcfc0b172
- SSDEEP
  
  12288:sV+t1nfILUvE45vvck5+TCxVCny2u8Am:sVM1nvs45vvjsYUy25
Score

1^/10
behavioral11 behavioral12
- Target
  
  ScreenCapture_Win8.WindowsLock2.exe
- Size
  
  413KB
- MD5
  
  faf666e0d80adbf3929a8bd78b34888a
- SHA1
  
  eac5046cd25814f5c043c6b8a92a948f1572cd4e
- SHA256
  
  bcdde1db8c7e73cda2baa87f7596767fb2783c40e1f3961eda2602528e15f2bc
- SHA512
  
  337f4a41f8aade7a4144d116ae20e63dc3df2e290096b3de8087188f21e3b7be9bffbc040be855bed509e080192720176e7d50fcb6f174a528da6ee48c77aa2d
- SSDEEP
  
  12288:5V+t1nfILUvE45vvck5+TCxVCny2u8Am:5VM1nvs45vvjsYUy25
Score

1^/10
behavioral13 behavioral14
- Target
  
  Setup (5).exe
- Size
  
  396KB
- MD5
  
  13f4b868603cf0dd6c32702d1bd858c9
- SHA1
  
  a595ab75e134f5616679be5f11deefdfaae1de15
- SHA256
  
  cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
- SHA512
  
  e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
- SSDEEP
  
  12288:jANwRo+mv8QD4+0V16nkFkkk2kyW9EArjaccoH0qzh4:jAT8QE+kHW9EAr+fr4i
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral15 behavioral16
- Target
  
  Setup (6).exe
- Size
  
  289KB
- MD5
  
  1a2af687af2c9f39a5489da1bfceb864
- SHA1
  
  f5502776ce55b19679a8ff5a17884f3cc5db34da
- SHA256
  
  bd194616665ef6125f7c4af3796de38103c38fc8653d27ee861975dc343520ba
- SHA512
  
  f8c094ec519dc59955bad70c0a02d3fd15741c539be5a8f1d0002fbe5007e798180d590ea14b3b22ea231ceb4c5424eced00043ac36d35e6ddf34f5475cd54f6
- SSDEEP
  
  6144:FZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6nkFkkk2kyWDwOrNkYgYRWW:jANwRo+mv8QD4+0V16nkFkkk2kyWUOrF
Score

7^/10

discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral17 behavioral18
- Target
  
  Supplementary Agreement 26_01_2016.scr
- Size
  
  91KB
- MD5
  
  b0625408735468e40f4af9472afcb35a
- SHA1
  
  ae8afddc982abc163147fc47bfd30f2340c56086
- SHA256
  
  9842ac7705c39546d9e153b5e014c16df061f306fd2b1904368cf8f503f4204c
- SHA512
  
  49e96828e92f142fb55fd301f9855a3965c2dc9e933e50eed0d7d9634771f3201a34704ceba419b5b941dd089306fa91aec36a841665ccc7abe649b95dd1e6ec
- SSDEEP
  
  1536:Rr346DHQyoOhwRY35OSmoKM+bBcql/UxyQKs1OiYI/3lHEKIp0+cNFyV:R86LaGccOSLK9qqli1aKKHcNe
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  T1.exe
- Size
  
  31KB
- MD5
  
  29cdb46d2e01f2efb9644c7695a007bb
- SHA1
  
  c276166bddcbcc093cf0b7164c4233745eda6cf5
- SHA256
  
  3ed94c1b319454f6122a05ef124e5bc8eefc60a3d81987fb712c7af78726e6b3
- SHA512
  
  fcce8e8a5c0689cf79dc4ca46ff0bbad6f4c5b8c74dbbb186e1e9df3988fa75526c00dfb6b8181ede6f0e5f1496b96caf23cc59de8c774a70812b1b0b5a590a8
- SSDEEP
  
  768:sg1mvOSFUyD+W4e4++sqzYbxw7S0/oc1xO2ISMggtCLYc3qFgxd:sgcvOSFfEe4+tbxw7iCkwe/Fgx
Score

10^/10

t1happy credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan
- T1Happy
  T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
  trojan ransomware t1happy
- T1happy family
  t1happy
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (5439) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Modifies file permissions
  discovery
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral21 behavioral22
- Target
  
  T1_b7afca788487347804156f052c613db5.exe
- Size
  
  31KB
- MD5
  
  b7afca788487347804156f052c613db5
- SHA1
  
  dd3d9703c37589482344460d4c624f50dec7d077
- SHA256
  
  a41130085e6e7d7ed320599698d79af44da110a58d761e3dfb35e44500e6ac16
- SHA512
  
  a37d6ec993a3d0f19daffc3ff174b05707c12339c4475e88468135bca73572ee9b61fb1eae2fbb7285a3dc893b048da108cc54a0f6dec66983360483720eba7f
- SSDEEP
  
  768:eg1mvOSFR8d7OJecatzObxw7S0/o61xOxZKMggzCLYc3qFgxd:egcvOSFR8dVcPbxw7iQk2A/Fgx
Score

10^/10

t1happy credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan
- T1Happy
  T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
  trojan ransomware t1happy
- T1happy family
  t1happy
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (5434) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral23 behavioral24
- Target
  
  TeenTube_90767.exe
- Size
  
  197KB
- MD5
  
  1105c4df3562b7ac9aaa3bf6037397c9
- SHA1
  
  5abd5e024b85078b9060e4eb75c9fc9c7549ad55
- SHA256
  
  efd8f55e43b1ab6379cac9d2f037fe5260ffae11433fb076fad3b639f9f9d4df
- SHA512
  
  98156f3f1707feaac20bc0250238aa3a4a8d0e531f77281e092c8b454a055bfbe97bc32b01538bbdc4f9b1ba76af6b626279bc8848484c79646aa5ea6bb8ad85
- SSDEEP
  
  3072:Oz+92mhTMMJ/cPiq5bVioBih1PJ8RsaX/Bv3WxAyZBQ73Uen/+V:Oz+92mhAMJ/cPl3iogavsAMBLen/U
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral25 behavioral26
- Target
  
  Trojan-Ransom.Win32.Telecrypt.a.exe
- Size
  
  3.1MB
- MD5
  
  3e24d064025ec20d6a8e8bae1d19ecdb
- SHA1
  
  aaf26fd22d5cab24dda2923b7ba6b131772b3a68
- SHA256
  
  3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567
- SHA512
  
  02eeddcb6d33dada9214503ab460d409ba429dfb00c756722188e2b7b9a65dd054a0bdacf45613ef3d6aa9524f256da155e33daf94eade384dc94f7716724896
- SSDEEP
  
  49152:yAqPm6R8fkBn5GSOsnvjXo2KzB931XYPy:0O6R8fklXo2KzBHX
Score

7^/10

discovery spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral27 behavioral28
- Target
  
  Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
- Size
  
  57KB
- MD5
  
  9ce30fe9bccb3d09b8326d9c2b4326d8
- SHA1
  
  a9174fec5d81977eee9de2658a92fa9e4de76dd4
- SHA256
  
  2d20d5751ffbac9290271969860106fdd34309878a1e06f9dbcac23a7f50b571
- SHA512
  
  ba1dae484f846fbb18df4a3abbb54bcf22549ec4762db34560afacacf226f6c62ca37ad2045193770dcfc1ff61a08e3a47369b6352d5d282146a3afcc91bf83f
- SSDEEP
  
  768:jwox3E+dBeFwhLsYyB/ZOy8gOKHwlidfeEXy:B3FdBmwhLsYCJH/
Score

4^/10

discovery
behavioral29 behavioral30
- Target
  
  Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
- Size
  
  38KB
- MD5
  
  2d2bd96b7b99a4727dd3d01db91ed276
- SHA1
  
  90aff4cebf1741efab3123e3455cbb0181d9f9f7
- SHA256
  
  e6b15419059e833424e9c726e9b0b085d9f0fcb2cccbfe1025b0d0f8a1735a66
- SHA512
  
  8338a2a2bbfbae0c5dc705e677eb063aeaf87acc1f287d11046370cdaa697092a15d539b9c0ee40a0155a7cfb221b299d5a7a3c65c26fdb50aff4961186d6e4a
- SSDEEP
  
  384:Zjj08Mjar5mlCQTzQsBpD7FPWGwTvx5RSwYg0j3pAYtt/g8:JjMj+5mlCQT8sBxxP/wTJrJI
Score

4^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

T1happy family

Deletes shadow copies

Renames multiple (5439) files with added filename extension

Disables RegEdit via registry modification

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Modifies file permissions

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Adds Run key to start application

Drops desktop.ini file(s)

Looks up external IP address via web service

Sets desktop wallpaper using registry

T1Happy

T1happy family

Deletes shadow copies

Renames multiple (5434) files with added filename extension

Disables RegEdit via registry modification

Checks computer location settings

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Modifies file permissions

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Adds Run key to start application

Drops desktop.ini file(s)

Looks up external IP address via web service

Modifies WinLogon for persistence

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27