Overview
overview
10Static
static
10ScreenCapt...r1.exe
windows7-x64
1ScreenCapt...r1.exe
windows10-2004-x64
1ScreenCapt...r2.exe
windows7-x64
1ScreenCapt...r2.exe
windows10-2004-x64
1ScreenCapt...rt.exe
windows7-x64
1ScreenCapt...rt.exe
windows10-2004-x64
1ScreenCapt...er.exe
windows7-x64
1ScreenCapt...er.exe
windows10-2004-x64
1ScreenCapt...ck.exe
windows7-x64
1ScreenCapt...ck.exe
windows10-2004-x64
1ScreenCapt...k1.exe
windows7-x64
1ScreenCapt...k1.exe
windows10-2004-x64
1ScreenCapt...k2.exe
windows7-x64
1ScreenCapt...k2.exe
windows10-2004-x64
1Setup (5).exe
windows7-x64
7Setup (5).exe
windows10-2004-x64
7Setup (6).exe
windows7-x64
7Setup (6).exe
windows10-2004-x64
7Supplement...16.scr
windows7-x64
3Supplement...16.scr
windows10-2004-x64
3T1.exe
windows7-x64
10T1.exe
windows10-2004-x64
10T1_b7afca7...b5.exe
windows7-x64
10T1_b7afca7...b5.exe
windows10-2004-x64
10TeenTube_90767.exe
windows7-x64
10TeenTube_90767.exe
windows10-2004-x64
10Trojan-Ran....a.exe
windows7-x64
3Trojan-Ran....a.exe
windows10-2004-x64
7Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows10-2004-x64
1Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:46
Behavioral task
behavioral1
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Setup (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Setup (5).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Setup (6).exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Setup (6).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
T1.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
T1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
TeenTube_90767.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
TeenTube_90767.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win10v2004-20241007-en
General
-
Target
T1.exe
-
Size
31KB
-
MD5
29cdb46d2e01f2efb9644c7695a007bb
-
SHA1
c276166bddcbcc093cf0b7164c4233745eda6cf5
-
SHA256
3ed94c1b319454f6122a05ef124e5bc8eefc60a3d81987fb712c7af78726e6b3
-
SHA512
fcce8e8a5c0689cf79dc4ca46ff0bbad6f4c5b8c74dbbb186e1e9df3988fa75526c00dfb6b8181ede6f0e5f1496b96caf23cc59de8c774a70812b1b0b5a590a8
-
SSDEEP
768:sg1mvOSFUyD+W4e4++sqzYbxw7S0/oc1xO2ISMggtCLYc3qFgxd:sgcvOSFfEe4+tbxw7iCkwe/Fgx
Malware Config
Signatures
-
T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
-
T1happy family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (5439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini T1.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2652 takeown.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe" T1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe" T1.exe -
Drops desktop.ini file(s) 16 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini T1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini T1.exe File created C:\Program Files (x86)\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini T1.exe File created C:\Users\Admin\Desktop\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini T1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI T1.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 4 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\screen.jpg" T1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213449.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21324_.GIF T1.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsBase.resources.dll T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF T1.exe File created C:\Program Files (x86)\Internet Explorer\en-US\F12Tools.dll.mui T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106816.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107148.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif T1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll T1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL T1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FSTOCK.DLL T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOAT.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00435_.WMF T1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR42F.GIF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx T1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.ITS T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105490.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250997.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL T1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107488.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ADD.GIF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML T1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02426_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Composite.eftx T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235241.WMF T1.exe File created C:\Program Files (x86)\Windows Media Player\en-US\setup_wm.exe.mui T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00222_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02465_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg T1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck.css T1.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png T1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00388_.WMF T1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert.css T1.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css T1.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png T1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language T1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe 2020 T1.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2020 T1.exe Token: SeIncreaseQuotaPrivilege 2736 WMIC.exe Token: SeSecurityPrivilege 2736 WMIC.exe Token: SeTakeOwnershipPrivilege 2736 WMIC.exe Token: SeLoadDriverPrivilege 2736 WMIC.exe Token: SeSystemProfilePrivilege 2736 WMIC.exe Token: SeSystemtimePrivilege 2736 WMIC.exe Token: SeProfSingleProcessPrivilege 2736 WMIC.exe Token: SeIncBasePriorityPrivilege 2736 WMIC.exe Token: SeCreatePagefilePrivilege 2736 WMIC.exe Token: SeBackupPrivilege 2736 WMIC.exe Token: SeRestorePrivilege 2736 WMIC.exe Token: SeShutdownPrivilege 2736 WMIC.exe Token: SeDebugPrivilege 2736 WMIC.exe Token: SeSystemEnvironmentPrivilege 2736 WMIC.exe Token: SeRemoteShutdownPrivilege 2736 WMIC.exe Token: SeUndockPrivilege 2736 WMIC.exe Token: SeManageVolumePrivilege 2736 WMIC.exe Token: 33 2736 WMIC.exe Token: 34 2736 WMIC.exe Token: 35 2736 WMIC.exe Token: SeIncreaseQuotaPrivilege 2736 WMIC.exe Token: SeSecurityPrivilege 2736 WMIC.exe Token: SeTakeOwnershipPrivilege 2736 WMIC.exe Token: SeLoadDriverPrivilege 2736 WMIC.exe Token: SeSystemProfilePrivilege 2736 WMIC.exe Token: SeSystemtimePrivilege 2736 WMIC.exe Token: SeProfSingleProcessPrivilege 2736 WMIC.exe Token: SeIncBasePriorityPrivilege 2736 WMIC.exe Token: SeCreatePagefilePrivilege 2736 WMIC.exe Token: SeBackupPrivilege 2736 WMIC.exe Token: SeRestorePrivilege 2736 WMIC.exe Token: SeShutdownPrivilege 2736 WMIC.exe Token: SeDebugPrivilege 2736 WMIC.exe Token: SeSystemEnvironmentPrivilege 2736 WMIC.exe Token: SeRemoteShutdownPrivilege 2736 WMIC.exe Token: SeUndockPrivilege 2736 WMIC.exe Token: SeManageVolumePrivilege 2736 WMIC.exe Token: 33 2736 WMIC.exe Token: 34 2736 WMIC.exe Token: 35 2736 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2736 2020 T1.exe 30 PID 2020 wrote to memory of 2736 2020 T1.exe 30 PID 2020 wrote to memory of 2736 2020 T1.exe 30 PID 2020 wrote to memory of 2736 2020 T1.exe 30 PID 2020 wrote to memory of 2748 2020 T1.exe 31 PID 2020 wrote to memory of 2748 2020 T1.exe 31 PID 2020 wrote to memory of 2748 2020 T1.exe 31 PID 2020 wrote to memory of 2748 2020 T1.exe 31 PID 2748 wrote to memory of 2652 2748 cmd.exe 34 PID 2748 wrote to memory of 2652 2748 cmd.exe 34 PID 2748 wrote to memory of 2652 2748 cmd.exe 34 PID 2748 wrote to memory of 2652 2748 cmd.exe 34 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" T1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\T1.exe"C:\Users\Admin\AppData\Local\Temp\T1.exe"1⤵
- Disables RegEdit via registry modification
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2020 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\"."3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2652
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2592
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
1File Deletion
1Modify Registry
3Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5da9345bb22a10e1042e7319bc0a4b298
SHA1d3763ca511af901f58488b2289d9b6f978ec5152
SHA256c95a93f8d797916945b3535373d66229fce76401d51217a4e8a2cf1f6a191106
SHA512ca9c3e785f6aeb9621d36f22953bfb2f4e5a65aba0dd217ff02fd77d39075b32cdd4139e853edc208e13248e0d9d0eb473465963689bff3b2731e55cc36424c5
-
Filesize
704B
MD5ece56d492dd0c0e83dcc5193ded4170b
SHA11f7b24e1f5cb33319476cf824ba9e455c71d69be
SHA2565ac5736b387dda4a4a029942e04f60312a4c686c1754e39d4904215e47ec8122
SHA5124cd7389f2d48991a988f07ec7e3bd7586d5bbb88ac3fe71e7b5d51028280ce73a8348e7c003d31bc2631aad9ed7eec51657bd2c94a621946e154386e533ca1f6
-
Filesize
528B
MD54603995f24ea38362b4a4d2da3a7baed
SHA1618d1665403b72cb22e6d8c85b536e39ad5934b0
SHA256c5fc926b89818a9b26933fb383222c3654bb2b6921dcc4402ddf517f4b3f77d3
SHA5127dcf68cb62e653917e1a7c5453c703515bc184cabd419609b5adff032586232084fea99a2c7b71145427f747d70f36c8e9522542cdd5eab810a64549b8737cac
-
Filesize
2KB
MD543b0a1ad14310e9c7ade9ebc2eebc024
SHA15fdaa57a25c372da3e1d7021f889da25238a24f3
SHA2562d1691113be20624549917c59b7771e77ebd45e7bfa65d49cd636d9b858abe72
SHA5129393a118448d6b5efc8b73503bb91b029a2ba2fa6902411b1945eb35184085805c78bc9c71d4cf51f9ccbf2bc57a5dd3ce158d2bd8281c4c35293abf54ae84d6
-
Filesize
11KB
MD549db1543cd8cbee58b9ee4aaf103ae5c
SHA155daf1ef8d2f39537cc26c3bb69d5ebb9459c6c1
SHA2569bb654ca8c0e4235a326862eaee83dc6efa5871605602f36835cab0f61e6047a
SHA512839cd41cbe9538068b2d4cbae945c21a5c7494bd46e9adf8d293ea6805a909320a0d8db5dcfba85e175a9c9b7168e72d42004ecb149252ef6cbe25005713d0f9
-
Filesize
9KB
MD566b756ad85f6afcfe3652caa1bf8ad19
SHA1518e419b83fa43df8993daa4ce3f81d1290b7d9d
SHA256d4c24e399f1c6a1fa11d7be1176dc1871a412b82fecdb7f5a5a2da10a59d0b2c
SHA5127801a6fc31340f41eba886fb7ba38a9adfef0e660b40bf80407b5ae6863b18c8c41fbb49c7e203f9b3b0ee3fda6744110611a2bc0ff87a03b7ecc340a9211d62
-
Filesize
1KB
MD53af98ca5d166374866f34198dbdf3870
SHA1ab8208bec8231be7fcefc73603103b7e399525f4
SHA2566f05f3ec03577a5658d5c1cc712ab92f1d1250bbd4e46c60b77a84c66b14e0c3
SHA51292b7a1d49a0255af74fdfb5a20770d80d86db6df4a01358fbbff22bbe3e04c63cbbb1415d772ceaf978c28a754679a8ffbe04ba985dd836787a9e7a5941a7e71
-
Filesize
6KB
MD5e26bed72e69585b9cd41144399c06653
SHA1a72f6deb1adf89ca9df15d9562d9a3f18b302f07
SHA2565153b205c2d63c61b0e80cdca52c0785b4368d55c6cde11f97155ab9f738de1c
SHA51239e0617535d20bcfed02b8178f6057d392258908cdd957672208554eb57abfaf06f81b7c7a25d63e3f3c9a2889a465e2bb4703ec14f95e05c88739f07c77d871
-
Filesize
688B
MD5dccc465f0e825ce4539e55f852c4e374
SHA152446d42380c975236814a6944f8dcb1596c6eb3
SHA2561300ddd5c8a4e5c7b566fc7bb4858759cf9269d597e4a6840a8b4a2a053cee24
SHA512eebb20f5aa71ee5eef53f2f2fad0de7bd7c15635b040bbfeff6e3bd8780a70228a7b9ea66ff2b4d6095a465e26054f7950279802bfefb0557c716adb62307594
-
Filesize
208B
MD5a33585cdc3284f2b90caed8e0e699dfa
SHA11c8d60e6b2efbad1a12e93b095f994c95f780ce2
SHA256ff7fbbbc9b2cf8a2bfc58771be9ad9c0c5da0dd7e7d9d4c39cc8ebe9aaed20da
SHA5129beb22f9c63c10ef5d0c38e7414f9385a8b0f374079b7d64952762bcf9823aea616db2feb29bd1ea9c7f6274a8c6d0a7eea68070b8217bd2a1018b3d8707648c
-
Filesize
272B
MD585bcd310d31a036e3ef90909d3d4f864
SHA1162043719b631ee6c02ddbf428842735a58b3ad5
SHA256ad952fdf162db50c3569866144ab7ec95b2cbcc890169ab390ef8bca76d46146
SHA512b84f1f25d0ddc9d28a024b4b71a0331a98d8ff2202dd23202dc6569e1194a7601e7ddc0755609840d2c97f2891b1afdab8e25b932abc3d98b3ec922e38aa82eb
-
Filesize
23KB
MD5a48a197aad358029e54404d0d56d6267
SHA160348d2b3f7870f124940eb56a8764b44fbbcc0c
SHA2560b2bf579d959946bda95da5a1f1f1020f033bf59659e2b71e305812b07c4b09d
SHA512bea35548a83dc6e016d43a49d18043f0a39de837c6e3cf8c4b618381e91279c344fec4abc5764d4ade291ad6b835d3d960f5fb99328cfab17308c0aa5a296d0f
-
Filesize
128B
MD5126de03195c64373d09b26b196960c8c
SHA120d5809e84612236b14deb4c60181e3eadd4f8e8
SHA2565986b177f272c328edd7912833a291300e5660f6eb27993192722e993052b8c6
SHA5125393c0b0af9d07effb0dc7733dcbd42aeaf25355dcd87cf3714b902949ffbca861ca36c9f24067f2d71092b8a9d1189451ae08ded6f64dedb373fd62c8fe9cd2
-
Filesize
2KB
MD565fe4827d0a74aafdaa53e3a0e2df924
SHA16d9c209a1ebba1e8199b3e47767bb375e8e04d8e
SHA256cc02705da62ce246b5731c4db4c07f2c20cb6b9c40646f848966805cb9cd2524
SHA512a8ff4d5df304f98cdc9ceb3ef861fdb36e36fd52f8b4826983195bf69ffaeaa45839d07f7c1e82d3eac1928e8974eeb54ab56681147456004f66adb6017097b5
-
Filesize
208B
MD518ccf0d4c6c55d531de8a7debdb5535f
SHA1e51748a021c00784dffdb3031edef1a29201c740
SHA2562ed7f6d601fb86de8ac2e14f93dc9bf5c476f25f7939d9f77a85475bbbc9eceb
SHA51220c11f2c6adc5d8c75386b4ce3f201e9631b447b139707f92e2fbbc636ebfc5461ae81eefb3ab80f9c01c7cb02cb4ec3f1f2c252ff2f2c883f4503b97f2a75c1
-
Filesize
800B
MD53b3040bc922540dd844ac61e33fbc3e9
SHA1f8fe35c63ebb8517a44f53d317f436132bdf347a
SHA256b86b6827888f98e179104a559470c6b7a2115c2a5de8289a9773114f56ac4c6f
SHA5127996ef1aa3a1fa2b7613b1f0021e30e73c5b84b4d3ccbec5d30f47d1f30cc66438ec459e9da2e20194da34af13ca5c2f0790eafb0d7a78b43f2dc73d1943951c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif.happy
Filesize368B
MD5e6cd8e4ba5dc64519d27e7bb350b717a
SHA11ec062e9310b10b98dead78bd21a1a0701603cd5
SHA256c2bc9e14314558539aebbf7bb9b129b80bc93f0d96fcb3b045aefe4c333aab6d
SHA5122728634f69c55da4abe1b9690993bf2d27a86bf0fa84bb4f2aa21a4ced673e2908dd386237a6b015422484a07655f31d501cb17265fc55e587a2ad92ec48419c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif.happy
Filesize21KB
MD5770c0dd6c443cf8f21326d74acbb5444
SHA1af6e5e52cddf0983ff722a72045325d403c38926
SHA256350c0eee530c4e11a625b2cbb057e6c0ab11f2f6b3e4f48e362da82922d168fc
SHA51277a91844efa9b87219586752734d868766cafdbe1eed090e8b82894af96e5830cf7d6965c519c4b2b58448bc415625594832fc8362ab6f9ef56cf6491dad8c71
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF.happy
Filesize384B
MD5b30dd83b7ee92ddcf7bf51c4c674899d
SHA194b20cbeeb49bce97aee0594a7135b9cbb0029c8
SHA2565d5baf9efb4808b9dbace7498305cfee5d68cb8cb9b1c2cc2adf34836920d0fc
SHA5124cb52e68a87ea4b683136691ac6be9a699537d8ecd41ef898570a0ce3b9fb552f59e22c897d1d3f5e4b87616ca9e58af9b2572bc6afcfe29280f6542afcafb81
-
Filesize
944B
MD568944cddb9b17731cc983006dbe86242
SHA1dbbafd6cdd1dd9b72983dc3ab35cf2370f6750a1
SHA256de73caff92f04df02317677db57832760c9e8c34fae5dd2353ccd4aa1b192f5c
SHA512d0632543cafdae1bdc4d591d34f092e5e3ae0429dc3b67c94adeb150cd80815eb52773028e8a9230d1322cd4f15448593a869ce601e1b924d69779c0edb73629