Overview

overview

10

Static

static

10

ScreenCapt...r1.exe

windows7-x64

1

ScreenCapt...r1.exe

windows10-2004-x64

1

ScreenCapt...r2.exe

windows7-x64

1

ScreenCapt...r2.exe

windows10-2004-x64

1

ScreenCapt...rt.exe

windows7-x64

1

ScreenCapt...rt.exe

windows10-2004-x64

1

ScreenCapt...er.exe

windows7-x64

1

ScreenCapt...er.exe

windows10-2004-x64

1

ScreenCapt...ck.exe

windows7-x64

1

ScreenCapt...ck.exe

windows10-2004-x64

1

ScreenCapt...k1.exe

windows7-x64

1

ScreenCapt...k1.exe

windows10-2004-x64

1

ScreenCapt...k2.exe

windows7-x64

1

ScreenCapt...k2.exe

windows10-2004-x64

1

Setup (5).exe

windows7-x64

7

Setup (5).exe

windows10-2004-x64

7

Setup (6).exe

windows7-x64

7

Setup (6).exe

windows10-2004-x64

7

Supplement...16.scr

windows7-x64

3

Supplement...16.scr

windows10-2004-x64

3

T1.exe

windows7-x64

10

T1.exe

windows10-2004-x64

10

T1_b7afca7...b5.exe

windows7-x64

10

T1_b7afca7...b5.exe

windows10-2004-x64

10

TeenTube_90767.exe

windows7-x64

10

TeenTube_90767.exe

windows10-2004-x64

10

Trojan-Ran....a.exe

windows7-x64

3

Trojan-Ran....a.exe

windows10-2004-x64

7

Tuyen bo c...ed.doc

windows7-x64

4

Tuyen bo c...ed.doc

windows10-2004-x64

1

Tuyen bo c...ed.doc

windows7-x64

4

Tuyen bo c...ed.doc

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    T1_b7afca788487347804156f052c613db5.exe

  • Size

    31KB

  • MD5

    b7afca788487347804156f052c613db5

  • SHA1

    dd3d9703c37589482344460d4c624f50dec7d077

  • SHA256

    a41130085e6e7d7ed320599698d79af44da110a58d761e3dfb35e44500e6ac16

  • SHA512

    a37d6ec993a3d0f19daffc3ff174b05707c12339c4475e88468135bca73572ee9b61fb1eae2fbb7285a3dc893b048da108cc54a0f6dec66983360483720eba7f

  • SSDEEP

    768:eg1mvOSFR8d7OJecatzObxw7S0/o61xOxZKMggzCLYc3qFgxd:egcvOSFR8dVcPbxw7iQk2A/Fgx

Score
10/10
t1happycredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealertrojan

Malware Config

Signatures

  • T1Happy

    T1Happy ransomware is a cryptovirus that behaves different than its counterparts.

    trojanransomwaret1happy
  • T1happy family
    t1happy
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (5434) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 17 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe
    "C:\Users\Admin\AppData\Local\Temp\T1_b7afca788487347804156f052c613db5.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2448
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\"."
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\"."
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

File and Directory Permissions Modification

1
T1222

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099198.GIF.happy
    Filesize

    5KB

    MD5

    ecc6ad187afb852e1124a11948d717c7

    SHA1

    1bc568dfc6b3c5ee85ca53503b3c24f326cdc07b

    SHA256

    6882f85ea4412e959b67559489d99cef2563c81fef5b670636c485623953113e

    SHA512

    7149c96725318fce487781d6e75569d8a416a24827cfa73ae328e9067fde736d4c366e412d45e7fddf78abbbae1b024e54bb5e3d42fccda6fd3f617c87c5c88e

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF.happy
    Filesize

    7KB

    MD5

    dfdfa7968e30d080c92e73382b7ad613

    SHA1

    922ec2ae87168e3edac21832aed24d42d282bc00

    SHA256

    93ff0e222afab754ae2b2cf276a1d76f45e145ee69a8f468878f00cf7d1b322a

    SHA512

    dfa8f4a6d9d47403297cd241c97ec7efcda0d692fb298c95e328b4b1ab0cbacfafd8aaaff3e02d674d93687349a9cd5b7fad46d8656ddbd8fa949aa8bde0b180

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG.happy
    Filesize

    86KB

    MD5

    2558ef056df5e4e97a4fa27f16481023

    SHA1

    762c12cd56f3a0d633db16e223cfc7925a47ed46

    SHA256

    1156639d880239885d86a4368589fe34e70f865bbbfa92c3a6caf1c6a10679aa

    SHA512

    aabc77246e430aaf9015a9e492ff51246ef3ab5b4c88fd4d647c384dc01c04627ab061ed7dacf3ec5334575da92f5658c1cdd62ac62a28a4f1932c1b7be45abd

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG.happy
    Filesize

    12KB

    MD5

    0631c9289dd12bdd2d86b957e5645042

    SHA1

    a12984308b203566743fab55131c2f7d846d17b8

    SHA256

    0bcceb244bda31a001d10d891809ce5da34ec9e9832ca031f766c5b3e7c487fe

    SHA512

    1255ef475443ef3b30319ddc216d084dd417e57214ee634157a42c95dccbdce83673da6c86a625ff8164e775282220fab402dde8bf2ebc3d919a45f97a975342

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01246_.GIF.happy
    Filesize

    480B

    MD5

    711debe6687d027d800aa3259e9b2a97

    SHA1

    c3b033f326b44b5e23256c568f1d924cec6c9ac4

    SHA256

    b26aa860bce45a2d83b3d6b4cfffc914fd0d1128b4a6ae0a6d7dd00d237d37f6

    SHA512

    54d70efae94a0fcf6491f3eb7822ec62e5d501bdd7a41b1076ca04a90acc4602cec66f4f8286c1e4fbc47faf2b7b05cefa60e9a1a6081c298c32a56cc2600924

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01742_.GIF.happy
    Filesize

    624B

    MD5

    5bf105366e4ecb8449f913a620268bfd

    SHA1

    677f1bba7201fb75dc931bdeace9b2c9b1faa019

    SHA256

    b65bef0b0d098812333dd9ff981f880a16100da1e627156a0f30ed5d06c39c30

    SHA512

    127c292996f1a9b905572468658942487a44820e60050b76c7f1b37c84a2f0fad2f751cf9a6154ae5c0f9fbc63c93f77930272ef7d1f8fc3edd11d25f39787bc

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21518_.GIF.happy
    Filesize

    272B

    MD5

    12dca072b2af4e4c901725b0b3f2c9b6

    SHA1

    cff347dc5e3ed5e099bc7d8f2c0d48632b763940

    SHA256

    0c105dd3d9afefbf31bfb293164d3cc9d0e6ddec159b93b6a4fe90d1623ffcc9

    SHA512

    8ff7fdd48af1dc3a9b7bc54529781107b1b8068dd0b228683ce4a748292f2fb8afbb0d2624e1994a3d033a2499e3d2422e47e0e76036ad75528a0dbb2b3ed520

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC.happy
    Filesize

    640B

    MD5

    ecf027991bb9d29280c2be7074cc64c9

    SHA1

    39a7baa0656083a67032f6b1e75c86e8ebaafd38

    SHA256

    0ade54e74738bd5b4889d2f9eaf289a11003c5f80be33074c8fb6d2493bf672f

    SHA512

    17ec5b5d54d9000f0ee17fa209e8eb50fe398310e66e640a3fc8877b431f7974409ca71d71805a4da7e93326a34005884a497b1bb165304fb741079fe169ceed

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF.happy
    Filesize

    5KB

    MD5

    d01ee4fabad8fcc5d0d6dfb88fcd1bb1

    SHA1

    bfa5da0047bc3e1b70ad6422d292c53285ac9414

    SHA256

    f4066775c51f9fe580a0ef68133ca52a03fcd523547e7d5e30e769f8bf31db4d

    SHA512

    7f2d9c3fd250f2d6400a11ed79025a89c4fa30a808e176cab0dfcead44cc61cb9776d1e0cd3fa3227b8562d076349587557f1ea6d3eb36c04ec5089040f08514

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif.happy
    Filesize

    20KB

    MD5

    0152828605eae9fa0cf175aa276042fd

    SHA1

    9b9888b8ea1d323cfe802844a3d22a8ad24daffd

    SHA256

    977308a90a109fa2eb4ae9b67eeb915d72cf1455780d929db98ce5f099e38916

    SHA512

    83acd2fefacd37d2fd8f10e90af421d7e0083769534996a99b87503b86cbdc8c4b82dd5a267ec243b582764d57eae1576c0458663325e83db557761901095a28

    Download Submit

  • memory/2448-162-0x0000000073DD0000-0x00000000744BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2448-32-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2448-2-0x0000000073DD0000-0x00000000744BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2448-1-0x00000000009C0000-0x00000000009CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2448-0-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

    Filesize

    4KB

    Download