Overview
overview
10Static
static
10ScreenCapt...r1.exe
windows7-x64
1ScreenCapt...r1.exe
windows10-2004-x64
1ScreenCapt...r2.exe
windows7-x64
1ScreenCapt...r2.exe
windows10-2004-x64
1ScreenCapt...rt.exe
windows7-x64
1ScreenCapt...rt.exe
windows10-2004-x64
1ScreenCapt...er.exe
windows7-x64
1ScreenCapt...er.exe
windows10-2004-x64
1ScreenCapt...ck.exe
windows7-x64
1ScreenCapt...ck.exe
windows10-2004-x64
1ScreenCapt...k1.exe
windows7-x64
1ScreenCapt...k1.exe
windows10-2004-x64
1ScreenCapt...k2.exe
windows7-x64
1ScreenCapt...k2.exe
windows10-2004-x64
1Setup (5).exe
windows7-x64
7Setup (5).exe
windows10-2004-x64
7Setup (6).exe
windows7-x64
7Setup (6).exe
windows10-2004-x64
7Supplement...16.scr
windows7-x64
3Supplement...16.scr
windows10-2004-x64
3T1.exe
windows7-x64
10T1.exe
windows10-2004-x64
10T1_b7afca7...b5.exe
windows7-x64
10T1_b7afca7...b5.exe
windows10-2004-x64
10TeenTube_90767.exe
windows7-x64
10TeenTube_90767.exe
windows10-2004-x64
10Trojan-Ran....a.exe
windows7-x64
3Trojan-Ran....a.exe
windows10-2004-x64
7Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows10-2004-x64
1Tuyen bo c...ed.doc
windows7-x64
4Tuyen bo c...ed.doc
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:46
Behavioral task
behavioral1
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ScreenCapture_Win8.MalwareScanner1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
ScreenCapture_Win8.MalwareScanner2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ScreenCapture_Win8.PopupAlert.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
ScreenCapture_Win8.TaskServer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
ScreenCapture_Win8.WindowsLock.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
ScreenCapture_Win8.WindowsLock1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
ScreenCapture_Win8.WindowsLock2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Setup (5).exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Setup (5).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Setup (6).exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Setup (6).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Supplementary Agreement 26_01_2016.scr
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
T1.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
T1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
T1_b7afca788487347804156f052c613db5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
TeenTube_90767.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
TeenTube_90767.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
Trojan-Ransom.Win32.Telecrypt.a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected and EnCrypted.doc
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
Tuyen bo chung Viet Nam - Hoa Ky - Infected.doc
Resource
win10v2004-20241007-en
General
-
Target
TeenTube_90767.exe
-
Size
197KB
-
MD5
1105c4df3562b7ac9aaa3bf6037397c9
-
SHA1
5abd5e024b85078b9060e4eb75c9fc9c7549ad55
-
SHA256
efd8f55e43b1ab6379cac9d2f037fe5260ffae11433fb076fad3b639f9f9d4df
-
SHA512
98156f3f1707feaac20bc0250238aa3a4a8d0e531f77281e092c8b454a055bfbe97bc32b01538bbdc4f9b1ba76af6b626279bc8848484c79646aa5ea6bb8ad85
-
SSDEEP
3072:Oz+92mhTMMJ/cPiq5bVioBih1PJ8RsaX/Bv3WxAyZBQ73Uen/+V:Oz+92mhAMJ/cPl3iogavsAMBLen/U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\\\17867.exe\" 89681039464" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\\\17867.exe\" 89681039464" reg.exe -
Executes dropped EXE 2 IoCs
pid Process 2260 s.exe 2564 KMPlayer.exe -
Loads dropped DLL 7 IoCs
pid Process 2860 TeenTube_90767.exe 2860 TeenTube_90767.exe 2860 TeenTube_90767.exe 2260 s.exe 2260 s.exe 2260 s.exe 2260 s.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TeenTube_90767.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language KMPlayer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe 2564 KMPlayer.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2260 2860 TeenTube_90767.exe 28 PID 2860 wrote to memory of 2260 2860 TeenTube_90767.exe 28 PID 2860 wrote to memory of 2260 2860 TeenTube_90767.exe 28 PID 2860 wrote to memory of 2260 2860 TeenTube_90767.exe 28 PID 2860 wrote to memory of 2260 2860 TeenTube_90767.exe 28 PID 2860 wrote to memory of 2260 2860 TeenTube_90767.exe 28 PID 2860 wrote to memory of 2260 2860 TeenTube_90767.exe 28 PID 2260 wrote to memory of 2564 2260 s.exe 29 PID 2260 wrote to memory of 2564 2260 s.exe 29 PID 2260 wrote to memory of 2564 2260 s.exe 29 PID 2260 wrote to memory of 2564 2260 s.exe 29 PID 2260 wrote to memory of 2564 2260 s.exe 29 PID 2260 wrote to memory of 2564 2260 s.exe 29 PID 2260 wrote to memory of 2564 2260 s.exe 29 PID 2564 wrote to memory of 2060 2564 KMPlayer.exe 30 PID 2564 wrote to memory of 2060 2564 KMPlayer.exe 30 PID 2564 wrote to memory of 2060 2564 KMPlayer.exe 30 PID 2564 wrote to memory of 2060 2564 KMPlayer.exe 30 PID 2564 wrote to memory of 2060 2564 KMPlayer.exe 30 PID 2564 wrote to memory of 2060 2564 KMPlayer.exe 30 PID 2564 wrote to memory of 2060 2564 KMPlayer.exe 30 PID 2564 wrote to memory of 2084 2564 KMPlayer.exe 32 PID 2564 wrote to memory of 2084 2564 KMPlayer.exe 32 PID 2564 wrote to memory of 2084 2564 KMPlayer.exe 32 PID 2564 wrote to memory of 2084 2564 KMPlayer.exe 32 PID 2564 wrote to memory of 2084 2564 KMPlayer.exe 32 PID 2564 wrote to memory of 2084 2564 KMPlayer.exe 32 PID 2564 wrote to memory of 2084 2564 KMPlayer.exe 32 PID 2060 wrote to memory of 2044 2060 cmd.exe 34 PID 2060 wrote to memory of 2044 2060 cmd.exe 34 PID 2060 wrote to memory of 2044 2060 cmd.exe 34 PID 2060 wrote to memory of 2044 2060 cmd.exe 34 PID 2060 wrote to memory of 2044 2060 cmd.exe 34 PID 2060 wrote to memory of 2044 2060 cmd.exe 34 PID 2060 wrote to memory of 2044 2060 cmd.exe 34 PID 2084 wrote to memory of 2268 2084 cmd.exe 35 PID 2084 wrote to memory of 2268 2084 cmd.exe 35 PID 2084 wrote to memory of 2268 2084 cmd.exe 35 PID 2084 wrote to memory of 2268 2084 cmd.exe 35 PID 2084 wrote to memory of 2268 2084 cmd.exe 35 PID 2084 wrote to memory of 2268 2084 cmd.exe 35 PID 2084 wrote to memory of 2268 2084 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"C:\Users\Admin\AppData\Local\Temp\TeenTube_90767.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.exe" -pass -s22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMPlayer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\17867.exe\" 89681039464" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\17867.exe\" 89681039464" /f5⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\17867.exe\" 89681039464" /f /reg:644⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "userinit.exe","\"C:\\17867.exe\" 89681039464" /f /reg:645⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2268
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5f052a9fa8b537c241287b4dca3c11a37
SHA1295eb1eeabb085e516ede2c625b5a08e9da62430
SHA256881a394fab156cf1d585be408aa34c979e99a1d74f3a0729c54f982cb845cd82
SHA5126120f0e194b2222e0a444e412b0f4d3543836f13ae0656f1a69ec61970467104e90348f836dbb6394e74b3351d00d87f3101688e011de842d71fb8ed305aee6a
-
Filesize
132KB
MD5a26b0b3948676b82c4796c169bd043eb
SHA12e464f6f61b42871c1bf42d84f30ff58d7eef784
SHA25657d514bdcf2d47f04adf993b682bab6b9dfd150d47f3fef05541106096e6e4e5
SHA512aa71dc61929eb477ac64153a658bad2ddc6c003989587c42abdb8d4219512a1aaa8793f66247b868b2d92722e4bd01895c084b4a219272c0f6745a55a6d0f162