t1happy | 5015af8fb5725c4c9ebac28a890128587b888acddab6cc9ff06e94e782713882

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

T1.exe
Size

31KB
MD5

29cdb46d2e01f2efb9644c7695a007bb
SHA1

c276166bddcbcc093cf0b7164c4233745eda6cf5
SHA256

3ed94c1b319454f6122a05ef124e5bc8eefc60a3d81987fb712c7af78726e6b3
SHA512

fcce8e8a5c0689cf79dc4ca46ff0bbad6f4c5b8c74dbbb186e1e9df3988fa75526c00dfb6b8181ede6f0e5f1496b96caf23cc59de8c774a70812b1b0b5a590a8
SSDEEP

768:sg1mvOSFUyD+W4e4++sqzYbxw7S0/oc1xO2ISMggtCLYc3qFgxd:sgcvOSFfEe4+tbxw7iCkwe/Fgx

Score

10^/10

t1happy credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.gmx.net
Port:
587
Username:
[email protected]
Password:
cuF.7P\Bv#C>`pu)

Signatures

T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
trojan ransomware t1happy
T1happy family
t1happy
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (3541) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

T1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

T1.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation T1.exe
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Drops startup file 1 IoCs

Processes:

T1.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini T1.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

1436 takeown.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	T1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	T1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	T1.exe

pid	process
1436	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

T1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe"	T1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1.exe"	T1.exe

Drops desktop.ini file(s) 15 IoCs

Processes:

T1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	T1.exe
File created	C:\Users\Admin\Desktop\desktop.ini	T1.exe
File created	C:\Program Files (x86)\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	T1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	T1.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.ipify.org
13 api.ipify.org

flow	ioc
12	api.ipify.org
13	api.ipify.org

Drops file in Program Files directory 64 IoCs

Processes:

T1.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\cs_get.svg	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak	T1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_iw.dll	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ug.dll	T1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PowerShell.PackageManagement.resources.dll	T1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\review_poster.jpg	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg	T1.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\en-US\msaddsr.dll.mui	T1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_no.dll	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\selector.js	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\es-419_get.svg	T1.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll	T1.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\wab32res.dll.mui	T1.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\it-IT\msadcor.dll.mui	T1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\microsoft_shell_integration.dll	T1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll	T1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js	T1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js	T1.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui	T1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mk.pak.DATA	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sr-Cyrl-BA.dll	T1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js	T1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\ui-strings.js	T1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeOfType.ps1	T1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-selector.js	T1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search.png	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pt_135x40.svg	T1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png	T1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp	T1.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui	T1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe	T1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1	T1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\LICENSE	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\text_2x.png	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg	T1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdate.dll	T1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fil.pak	T1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lo.pak	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_kok.dll	T1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_lv.dll	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-1x.png	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\ui-strings.js	T1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\ui-strings.js	T1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\ui-strings.js	T1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

takeown.exeT1.execmd.exeWMIC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

T1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	T1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	T1.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

T1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	T1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	T1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

T1.exe

pid	process
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe
3020	T1.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

T1.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3020	T1.exe
Token: SeIncreaseQuotaPrivilege	1032	WMIC.exe
Token: SeSecurityPrivilege	1032	WMIC.exe
Token: SeTakeOwnershipPrivilege	1032	WMIC.exe
Token: SeLoadDriverPrivilege	1032	WMIC.exe
Token: SeSystemProfilePrivilege	1032	WMIC.exe
Token: SeSystemtimePrivilege	1032	WMIC.exe
Token: SeProfSingleProcessPrivilege	1032	WMIC.exe
Token: SeIncBasePriorityPrivilege	1032	WMIC.exe
Token: SeCreatePagefilePrivilege	1032	WMIC.exe
Token: SeBackupPrivilege	1032	WMIC.exe
Token: SeRestorePrivilege	1032	WMIC.exe
Token: SeShutdownPrivilege	1032	WMIC.exe
Token: SeDebugPrivilege	1032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1032	WMIC.exe
Token: SeRemoteShutdownPrivilege	1032	WMIC.exe
Token: SeUndockPrivilege	1032	WMIC.exe
Token: SeManageVolumePrivilege	1032	WMIC.exe
Token: 33	1032	WMIC.exe
Token: 34	1032	WMIC.exe
Token: 35	1032	WMIC.exe
Token: 36	1032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1032	WMIC.exe
Token: SeSecurityPrivilege	1032	WMIC.exe
Token: SeTakeOwnershipPrivilege	1032	WMIC.exe
Token: SeLoadDriverPrivilege	1032	WMIC.exe
Token: SeSystemProfilePrivilege	1032	WMIC.exe
Token: SeSystemtimePrivilege	1032	WMIC.exe
Token: SeProfSingleProcessPrivilege	1032	WMIC.exe
Token: SeIncBasePriorityPrivilege	1032	WMIC.exe
Token: SeCreatePagefilePrivilege	1032	WMIC.exe
Token: SeBackupPrivilege	1032	WMIC.exe
Token: SeRestorePrivilege	1032	WMIC.exe
Token: SeShutdownPrivilege	1032	WMIC.exe
Token: SeDebugPrivilege	1032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1032	WMIC.exe
Token: SeRemoteShutdownPrivilege	1032	WMIC.exe
Token: SeUndockPrivilege	1032	WMIC.exe
Token: SeManageVolumePrivilege	1032	WMIC.exe
Token: 33	1032	WMIC.exe
Token: 34	1032	WMIC.exe
Token: 35	1032	WMIC.exe
Token: 36	1032	WMIC.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

T1.execmd.exe

description	pid	process	target process
PID 3020 wrote to memory of 1032	3020	T1.exe	WMIC.exe
PID 3020 wrote to memory of 1032	3020	T1.exe	WMIC.exe
PID 3020 wrote to memory of 1032	3020	T1.exe	WMIC.exe
PID 3020 wrote to memory of 2380	3020	T1.exe	cmd.exe
PID 3020 wrote to memory of 2380	3020	T1.exe	cmd.exe
PID 3020 wrote to memory of 2380	3020	T1.exe	cmd.exe
PID 2380 wrote to memory of 1436	2380	cmd.exe	takeown.exe
PID 2380 wrote to memory of 1436	2380	cmd.exe	takeown.exe
PID 2380 wrote to memory of 1436	2380	cmd.exe	takeown.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

T1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	T1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	T1.exe

C:\Users\Admin\AppData\Local\Temp\T1.exe
"C:\Users\Admin\AppData\Local\Temp\T1.exe"
1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\"."
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_dark_18.svg.happy

Filesize
512B

MD5
4f0891c2ded36c5f2db1aa8ae3d55faf

SHA1
8f080c829e9b8ce3e2f91cd78eff628a7706fff2

SHA256
91da07609ecb7fd43b88a2e0144da75dcbb760288fc933b1101e3701aca0a733

SHA512
cfff4474f71f367b3b8b1afac36adc69de1891bffde1fab51dff96d104e904fd075d14e158211c22529ec0148546c5d641b4be2607ff9486c76d9212854c17f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_18.svg.happy

Filesize
800B

MD5
42240d1a3c45802abc0ca74f72198c47

SHA1
61f5f0868314842176db8e6dd0dd2e0ee461c63b

SHA256
61272fc5f44eaf8665374bb6e2ebb2d0bfea891170415cc54eb1816fda3852fc

SHA512
198bc16029197e5f0e51a93b984cd2bab6b3d8b4e559130d51ad32ec925674c3d67dbe8a828e9360a3ad23ac363433ab0924736a2afd03b3e44378386e1451a5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js.happy

Filesize
8KB

MD5
701acb6cd76878c3b9d6436498b503f5

SHA1
f72ab520fc6e287acd583d1a042283617d5860f6

SHA256
d6375673be32dfd858072183457d25a00ada4ce5c0f026df42a836b617e4afaf

SHA512
b8c8d1ccfdf478c58e962c7e54154283cbbf0c441ca5e19958e13eed4be1866d310686f54f519c38ab75e87dd9c26cce228d80e4439a6415dd32176e899b9208

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf.happy

Filesize
54KB

MD5
0ca6331c3c243b6ed90d9a87e6e52d9d

SHA1
e305c9698f415ff18dd78efea0926d3cc9dff796

SHA256
03658e38d724208c11bd3f71b364cbae354f0e75d09ea42d5229d89da8f30b38

SHA512
b41520af5f95cefd0ce9645d3724671c6037a39eea2ec99fa662af533a8c240c1ad44a17bac76b39d798083ff9e657a2907d711371deeccfda3c34aee65ae671

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js.happy

Filesize
16KB

MD5
75ffcf237a92b1d89f6a63c7edd98eb8

SHA1
fca7e5c5dbbc9452dc04027f68116f85e6be2426

SHA256
d8b7fc30edc03deb99330ebc05d326ed1778144af354c26ad89e8bfda9f2d17c

SHA512
4be69ff99fc14fe5aca2eb299b1afbe3f4d9049e6fb43b7e843a18f2bb62e8618c5de53d37ea803563f3688b828da129e3e375eedb520ff02a31408fd5b45f85

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.happy

Filesize
32KB

MD5
91b3d6b33edcc1bacfc0aa56044dec50

SHA1
30ede062033db9dafa0d10f21455d2ff37e9fbce

SHA256
ab2b6ced63eb37a20a35cf4e4ad528ba9f65153f252778d57ce78f4d2877e323

SHA512
8ccdae7e2952db0790e0a75dcf3cab03bd682e2f679cfd5d9f26e651cd04a3039f6aa67250b4dd98f08d76794a073443a3786a0fca570c60b85ca1ad40c9b197

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.happy

Filesize
32KB

MD5
6f118d716bd4ccea7ec9cd4120b65517

SHA1
bafc6658eceaf641acbed5ea27908affe5948feb

SHA256
6d85a741e3eaad778cb9b8d78603f41f9e9468df3fae451b5a8a6c715887bf4c

SHA512
63856de4a9c156fb2e77aebdb02433e3dd0b4ef921668e6538b811923a09f4b79dd98d807a33c8e68f481263b19da5fc07be42578ced13b3ffb68f17e48ae0e1

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaws.exe.happy

Filesize
465KB

MD5
e31a3af09fbec3499d86b13ca00db15f

SHA1
3399ac057ac90d30fa9939186e09a43acbf3269d

SHA256
625c3197108a89bdaa510d34037dd4bb75d713b16159dea3810e6558645b2267

SHA512
c41f66eecda03b74b91eea96722fbdb331d700583a728248c0999e77ed644d0329831d32d4e710049175ee6653007c1779897a9fce6bfd1be10632c7ee6f8645

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe

Filesize
209KB

MD5
d2b55a2889841917e4ec47cfad3931b0

SHA1
ca10301ea19afad11ad1a22c3c5d39d9540849a9

SHA256
48d94c284f5a0558a32652e63f7f4c80c63b04f6e050d6f4fc53fd9a56b3e9aa

SHA512
013056cc50e52828873f4a33aef844c213ebb68868aed6ad63f83208b45e5c6e927d43f83f07c60588246b9fbe846be0c14fc040ea349bdcf071876e93839d07

Download Submit
memory/3020-5-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/3020-808-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/3020-142-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/3020-8-0x0000000006FB0000-0x0000000007016000-memory.dmp

Filesize
408KB

Download
memory/3020-7-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/3020-6-0x00000000057B0000-0x0000000005806000-memory.dmp

Filesize
344KB

Download
memory/3020-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

Filesize
4KB

Download
memory/3020-4-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/3020-3-0x0000000005B30000-0x00000000060D4000-memory.dmp

Filesize
5.6MB

Download
memory/3020-2-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/3020-1-0x0000000000C30000-0x0000000000C3E000-memory.dmp

Filesize
56KB

Download