Overview
overview
10Static
static
10ScreenCapt...r1.exe
windows7-x64
1ScreenCapt...r1.exe
windows10-2004-x64
1ScreenCapt...r2.exe
windows7-x64
1ScreenCapt...r2.exe
windows10-2004-x64
1ScreenCapt...rt.exe
windows7-x64
1ScreenCapt...rt.exe
windows10-2004-x64
1ScreenCapt...er.exe
windows7-x64
1ScreenCapt...er.exe
windows10-2004-x64
1ScreenCapt...ck.exe
windows7-x64
1ScreenCapt...ck.exe
windows10-2004-x64
1ScreenCapt...k1.exe
windows7-x64
1ScreenCapt...k1.exe
windows10-2004-x64
1ScreenCapt...k2.exe
windows7-x64
1ScreenCapt...k2.exe
windows10-2004-x64
1Setup (5).exe
windows7-x64
7Setup (5).exe
windows10-2004-x64
7Setup (6).exe
windows7-x64
7Setup (6).exe
windows10-2004-x64
7Supplement...16.scr
windows7-x64
3Supplement...16.scr
windows10-2004-x64
3T1.exe
windows7-x64
10T1.exe
windows10-2004-x64
10T1_b7afca7...b5.exe
windows7-x64
10T1_b7afca7...b5.exe
windows10-2004-x64
10TeenTube_90767.exe
windows7-x64
10TeenTube_90767.exe
windows10-2004-x64
10Trojan-Ran....a.exe
windows7-x64
3Trojan-Ran....a.exe
windows10-2004-x64
7Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows10-2004-x64
1Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:46
Behavioral task
behavioral1
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Setup (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Setup (5).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Setup (6).exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Setup (6).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
T1.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
T1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
TeenTube_90767.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
TeenTube_90767.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win10v2004-20241007-en
General
-
Target
T1_b7afca788487347804156f052c613db5.exe
-
Size
31KB
-
MD5
b7afca788487347804156f052c613db5
-
SHA1
dd3d9703c37589482344460d4c624f50dec7d077
-
SHA256
a41130085e6e7d7ed320599698d79af44da110a58d761e3dfb35e44500e6ac16
-
SHA512
a37d6ec993a3d0f19daffc3ff174b05707c12339c4475e88468135bca73572ee9b61fb1eae2fbb7285a3dc893b048da108cc54a0f6dec66983360483720eba7f
-
SSDEEP
768:eg1mvOSFR8d7OJecatzObxw7S0/o61xOxZKMggzCLYc3qFgxd:egcvOSFR8dVcPbxw7iQk2A/Fgx
Malware Config
Signatures
-
T1Happy
T1Happy ransomware is a cryptovirus that behaves different than its counterparts.
-
T1happy family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (5434) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1_b7afca788487347804156f052c613db5.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini T1_b7afca788487347804156f052c613db5.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1624 takeown.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe" T1_b7afca788487347804156f052c613db5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Users\\Admin\\AppData\\Local\\Temp\\T1_b7afca788487347804156f052c613db5.exe" T1_b7afca788487347804156f052c613db5.exe -
Drops desktop.ini file(s) 17 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini T1_b7afca788487347804156f052c613db5.exe File created C:\Users\Admin\Desktop\desktop.ini T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI T1_b7afca788487347804156f052c613db5.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_OFF.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00686_.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECL.ICO T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CA.XML T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01146_.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.LEX T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.POC T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107526.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SOA.DLL T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01560_.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21512_.GIF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_F_COL.HXK T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis.css T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\drag.png T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105232.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Composite.eftx T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBWZINT.REST.IDX_DLL T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01568_.WMF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR32F.GIF T1_b7afca788487347804156f052c613db5.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Priority.accft T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll T1_b7afca788487347804156f052c613db5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG T1_b7afca788487347804156f052c613db5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language T1_b7afca788487347804156f052c613db5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe 2448 T1_b7afca788487347804156f052c613db5.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 2448 T1_b7afca788487347804156f052c613db5.exe Token: SeIncreaseQuotaPrivilege 2552 WMIC.exe Token: SeSecurityPrivilege 2552 WMIC.exe Token: SeTakeOwnershipPrivilege 2552 WMIC.exe Token: SeLoadDriverPrivilege 2552 WMIC.exe Token: SeSystemProfilePrivilege 2552 WMIC.exe Token: SeSystemtimePrivilege 2552 WMIC.exe Token: SeProfSingleProcessPrivilege 2552 WMIC.exe Token: SeIncBasePriorityPrivilege 2552 WMIC.exe Token: SeCreatePagefilePrivilege 2552 WMIC.exe Token: SeBackupPrivilege 2552 WMIC.exe Token: SeRestorePrivilege 2552 WMIC.exe Token: SeShutdownPrivilege 2552 WMIC.exe Token: SeDebugPrivilege 2552 WMIC.exe Token: SeSystemEnvironmentPrivilege 2552 WMIC.exe Token: SeRemoteShutdownPrivilege 2552 WMIC.exe Token: SeUndockPrivilege 2552 WMIC.exe Token: SeManageVolumePrivilege 2552 WMIC.exe Token: 33 2552 WMIC.exe Token: 34 2552 WMIC.exe Token: 35 2552 WMIC.exe Token: SeIncreaseQuotaPrivilege 2552 WMIC.exe Token: SeSecurityPrivilege 2552 WMIC.exe Token: SeTakeOwnershipPrivilege 2552 WMIC.exe Token: SeLoadDriverPrivilege 2552 WMIC.exe Token: SeSystemProfilePrivilege 2552 WMIC.exe Token: SeSystemtimePrivilege 2552 WMIC.exe Token: SeProfSingleProcessPrivilege 2552 WMIC.exe Token: SeIncBasePriorityPrivilege 2552 WMIC.exe Token: SeCreatePagefilePrivilege 2552 WMIC.exe Token: SeBackupPrivilege 2552 WMIC.exe Token: SeRestorePrivilege 2552 WMIC.exe Token: SeShutdownPrivilege 2552 WMIC.exe Token: SeDebugPrivilege 2552 WMIC.exe Token: SeSystemEnvironmentPrivilege 2552 WMIC.exe Token: SeRemoteShutdownPrivilege 2552 WMIC.exe Token: SeUndockPrivilege 2552 WMIC.exe Token: SeManageVolumePrivilege 2552 WMIC.exe Token: 33 2552 WMIC.exe Token: 34 2552 WMIC.exe Token: 35 2552 WMIC.exe Token: SeBackupPrivilege 2992 vssvc.exe Token: SeRestorePrivilege 2992 vssvc.exe Token: SeAuditPrivilege 2992 vssvc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2552 2448 T1_b7afca788487347804156f052c613db5.exe 30 PID 2448 wrote to memory of 2552 2448 T1_b7afca788487347804156f052c613db5.exe 30 PID 2448 wrote to memory of 2552 2448 T1_b7afca788487347804156f052c613db5.exe 30 PID 2448 wrote to memory of 2552 2448 T1_b7afca788487347804156f052c613db5.exe 30 PID 2448 wrote to memory of 2516 2448 T1_b7afca788487347804156f052c613db5.exe 32 PID 2448 wrote to memory of 2516 2448 T1_b7afca788487347804156f052c613db5.exe 32 PID 2448 wrote to memory of 2516 2448 T1_b7afca788487347804156f052c613db5.exe 32 PID 2448 wrote to memory of 2516 2448 T1_b7afca788487347804156f052c613db5.exe 32 PID 2516 wrote to memory of 1624 2516 cmd.exe 34 PID 2516 wrote to memory of 1624 2516 cmd.exe 34 PID 2516 wrote to memory of 1624 2516 cmd.exe 34 PID 2516 wrote to memory of 1624 2516 cmd.exe 34 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" T1_b7afca788487347804156f052c613db5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" T1_b7afca788487347804156f052c613db5.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe"C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe"1⤵
- Disables RegEdit via registry modification
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448 -
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\"."3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1624
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Indicator Removal
1File Deletion
1Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5ecc6ad187afb852e1124a11948d717c7
SHA11bc568dfc6b3c5ee85ca53503b3c24f326cdc07b
SHA2566882f85ea4412e959b67559489d99cef2563c81fef5b670636c485623953113e
SHA5127149c96725318fce487781d6e75569d8a416a24827cfa73ae328e9067fde736d4c366e412d45e7fddf78abbbae1b024e54bb5e3d42fccda6fd3f617c87c5c88e
-
Filesize
7KB
MD5dfdfa7968e30d080c92e73382b7ad613
SHA1922ec2ae87168e3edac21832aed24d42d282bc00
SHA25693ff0e222afab754ae2b2cf276a1d76f45e145ee69a8f468878f00cf7d1b322a
SHA512dfa8f4a6d9d47403297cd241c97ec7efcda0d692fb298c95e328b4b1ab0cbacfafd8aaaff3e02d674d93687349a9cd5b7fad46d8656ddbd8fa949aa8bde0b180
-
Filesize
86KB
MD52558ef056df5e4e97a4fa27f16481023
SHA1762c12cd56f3a0d633db16e223cfc7925a47ed46
SHA2561156639d880239885d86a4368589fe34e70f865bbbfa92c3a6caf1c6a10679aa
SHA512aabc77246e430aaf9015a9e492ff51246ef3ab5b4c88fd4d647c384dc01c04627ab061ed7dacf3ec5334575da92f5658c1cdd62ac62a28a4f1932c1b7be45abd
-
Filesize
12KB
MD50631c9289dd12bdd2d86b957e5645042
SHA1a12984308b203566743fab55131c2f7d846d17b8
SHA2560bcceb244bda31a001d10d891809ce5da34ec9e9832ca031f766c5b3e7c487fe
SHA5121255ef475443ef3b30319ddc216d084dd417e57214ee634157a42c95dccbdce83673da6c86a625ff8164e775282220fab402dde8bf2ebc3d919a45f97a975342
-
Filesize
480B
MD5711debe6687d027d800aa3259e9b2a97
SHA1c3b033f326b44b5e23256c568f1d924cec6c9ac4
SHA256b26aa860bce45a2d83b3d6b4cfffc914fd0d1128b4a6ae0a6d7dd00d237d37f6
SHA51254d70efae94a0fcf6491f3eb7822ec62e5d501bdd7a41b1076ca04a90acc4602cec66f4f8286c1e4fbc47faf2b7b05cefa60e9a1a6081c298c32a56cc2600924
-
Filesize
624B
MD55bf105366e4ecb8449f913a620268bfd
SHA1677f1bba7201fb75dc931bdeace9b2c9b1faa019
SHA256b65bef0b0d098812333dd9ff981f880a16100da1e627156a0f30ed5d06c39c30
SHA512127c292996f1a9b905572468658942487a44820e60050b76c7f1b37c84a2f0fad2f751cf9a6154ae5c0f9fbc63c93f77930272ef7d1f8fc3edd11d25f39787bc
-
Filesize
272B
MD512dca072b2af4e4c901725b0b3f2c9b6
SHA1cff347dc5e3ed5e099bc7d8f2c0d48632b763940
SHA2560c105dd3d9afefbf31bfb293164d3cc9d0e6ddec159b93b6a4fe90d1623ffcc9
SHA5128ff7fdd48af1dc3a9b7bc54529781107b1b8068dd0b228683ce4a748292f2fb8afbb0d2624e1994a3d033a2499e3d2422e47e0e76036ad75528a0dbb2b3ed520
-
Filesize
640B
MD5ecf027991bb9d29280c2be7074cc64c9
SHA139a7baa0656083a67032f6b1e75c86e8ebaafd38
SHA2560ade54e74738bd5b4889d2f9eaf289a11003c5f80be33074c8fb6d2493bf672f
SHA51217ec5b5d54d9000f0ee17fa209e8eb50fe398310e66e640a3fc8877b431f7974409ca71d71805a4da7e93326a34005884a497b1bb165304fb741079fe169ceed
-
Filesize
5KB
MD5d01ee4fabad8fcc5d0d6dfb88fcd1bb1
SHA1bfa5da0047bc3e1b70ad6422d292c53285ac9414
SHA256f4066775c51f9fe580a0ef68133ca52a03fcd523547e7d5e30e769f8bf31db4d
SHA5127f2d9c3fd250f2d6400a11ed79025a89c4fa30a808e176cab0dfcead44cc61cb9776d1e0cd3fa3227b8562d076349587557f1ea6d3eb36c04ec5089040f08514
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif.happy
Filesize20KB
MD50152828605eae9fa0cf175aa276042fd
SHA19b9888b8ea1d323cfe802844a3d22a8ad24daffd
SHA256977308a90a109fa2eb4ae9b67eeb915d72cf1455780d929db98ce5f099e38916
SHA51283acd2fefacd37d2fd8f10e90af421d7e0083769534996a99b87503b86cbdc8c4b82dd5a267ec243b582764d57eae1576c0458663325e83db557761901095a28