ca7d6968ce2e44b7bde709ea5a8aef2752984999db28da37b538631f2945468a

Analysis

max time kernel
58s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/02/2023, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tsetup-x64.4.6.2.exe
Size

38.6MB
MD5

d7baf876e62d3adda58eec2db6a5da07
SHA1

23de816b2838ae25207f136343e6bf47e0d3f040
SHA256

ca7d6968ce2e44b7bde709ea5a8aef2752984999db28da37b538631f2945468a
SHA512

44c2691cee18e2acb57fda45ca4bef82769a2e6b24d8634cb41d39624c969628eaf4c08d5c0e3161dd1d722bb78448a2b88c36a6f5c164f8945a723ba25197e1
SSDEEP

786432:OzkK/qXQxBVXBBq6Lpma9vUPywWnLQb+Pnl7RDnz0JzLz:t8oGBVf/ppYPonl7V0JzLz

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1976	tsetup-x64.4.6.2.tmp
760	Telegram.exe
1816	Telegram.exe
1984	Telegram.exe

Loads dropped DLL 8 IoCs

pid	Process
1420	tsetup-x64.4.6.2.exe
1976	tsetup-x64.4.6.2.tmp
1976	tsetup-x64.4.6.2.tmp
1976	tsetup-x64.4.6.2.tmp
1444	Process not Found
1444	Process not Found
1444	Process not Found
1444	Process not Found

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
760	Telegram.exe
1816	Telegram.exe
1984	Telegram.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1976	tsetup-x64.4.6.2.tmp
1976	tsetup-x64.4.6.2.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1976	tsetup-x64.4.6.2.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1976	1420	tsetup-x64.4.6.2.exe	26
PID 1420 wrote to memory of 1976	1420	tsetup-x64.4.6.2.exe	26
PID 1420 wrote to memory of 1976	1420	tsetup-x64.4.6.2.exe	26
PID 1420 wrote to memory of 1976	1420	tsetup-x64.4.6.2.exe	26
PID 1420 wrote to memory of 1976	1420	tsetup-x64.4.6.2.exe	26
PID 1420 wrote to memory of 1976	1420	tsetup-x64.4.6.2.exe	26
PID 1420 wrote to memory of 1976	1420	tsetup-x64.4.6.2.exe	26
PID 1976 wrote to memory of 760	1976	tsetup-x64.4.6.2.tmp	28
PID 1976 wrote to memory of 760	1976	tsetup-x64.4.6.2.tmp	28
PID 1976 wrote to memory of 760	1976	tsetup-x64.4.6.2.tmp	28
PID 1976 wrote to memory of 760	1976	tsetup-x64.4.6.2.tmp	28

C:\Users\Admin\AppData\Local\Temp\tsetup-x64.4.6.2.exe
"C:\Users\Admin\AppData\Local\Temp\tsetup-x64.4.6.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\is-44UJJ.tmp\tsetup-x64.4.6.2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-44UJJ.tmp\tsetup-x64.4.6.2.tmp" /SL5="$60120,39537747,814592,C:\Users\Admin\AppData\Local\Temp\tsetup-x64.4.6.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    PID:760

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1816

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b242bd1bb4a25207b7836e6099bf4764-{87A94AB0-E370-4cde-98D3-ACC110C5967D}

Filesize
60B

MD5
b55423c25da9aeea9c8648b0bf660a34

SHA1
de0ee2495e5367e469de849d928b2f55296ff52c

SHA256
aa660dd120adef940311fec1e4d2a796ebdbd863f58dee27f262d3a733283cdb

SHA512
8cf7e02b42bac55979a89174699eb5a8dd39de20af33f63e370596d48a7b9648bde96630b38707b5d4e1f3ece66bc9a3d715e48ced198ae4168e40cfefe2623f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-44UJJ.tmp\tsetup-x64.4.6.2.tmp

Filesize
3.0MB

MD5
e9e523ee729711ed8a4ecc164af0eb1d

SHA1
6448050c2d615201c541724a3b5ba7a3ef0b839d

SHA256
e068c14cd9fc95477a5d3ca52a0ca4d51aa3817937d2cc46f326d25ea8106e12

SHA512
f40404f90f89d917b2c1a267c8f0e5b4c489ede2ded543091e081319653e17c1293777f1cc80af384e8bf94bc7e79bfd5994a3f5de3dbb6742d4e99fdb1ef8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-44UJJ.tmp\tsetup-x64.4.6.2.tmp

Filesize
3.0MB

MD5
e9e523ee729711ed8a4ecc164af0eb1d

SHA1
6448050c2d615201c541724a3b5ba7a3ef0b839d

SHA256
e068c14cd9fc95477a5d3ca52a0ca4d51aa3817937d2cc46f326d25ea8106e12

SHA512
f40404f90f89d917b2c1a267c8f0e5b4c489ede2ded543091e081319653e17c1293777f1cc80af384e8bf94bc7e79bfd5994a3f5de3dbb6742d4e99fdb1ef8ed

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
23.6MB

MD5
108eca6c5e805a5be790821a57c5b27c

SHA1
64d9855774a59723a58b57289592bce78c148ea9

SHA256
b0f16d4b1d0d7e204254826fb664343e1dd8358db3a507da6527bac8d3700b3f

SHA512
cccb6d9a87e2f4930e77b0b3414558520ea6af367ddf3185bdbb4405833e386ae4d95800bb530693149b9f679a73be8e2988504e9cc00e63a8c12385222f56e3

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
6.1MB

MD5
0f8aae1061deadfa2fb42f4df9c1d8cb

SHA1
c57838c70271a863fcee8696a5dff5e2ee04205c

SHA256
216db29b8d917ac1b79ee4ca944dc65e3187b985f283107306cf44befd0400ad

SHA512
6b4617b7355fcaa078cf5e60a54e385a39f40bd3ab9cbf7d8246a420a12df5de10ffe087ea8c66012271f04d86c8f3fd6f89ac67d6204c4aca7481a2434ce1bf

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
5.0MB

MD5
c5b0383e127aeb197a4cbc11fb1da27c

SHA1
f7e2ddf8a1389862a104f95aca732ac6214b722b

SHA256
6d9cb9ddfae7d8979291f8a0e05cd59a75bd188efc65eb7421d2a4b0e138a6df

SHA512
cdc94accb246d95efe6cefedfbb38c294f23acc07466eb24bdfa012f6bb6a2b6468da71817a517e463bc1a10ded021857ec1b8b4dbd0cf05a0ae88202e8ea657

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\tdata\usertag

Filesize
8B

MD5
6c2fda52df73da120c538fae0f8b67f5

SHA1
feb2e4544a7bafac92c16168b2edc0e187570525

SHA256
9c5fe78220def4d4df2884897f2385899dffe717406276cd4bab4ff99ff4b7a7

SHA512
7e337d15cb71b16e25dc67d526c53130140965682789c34fdbc3ba5aafa5c41e607337bd300ab070d88efbd4d9eb9b087a934ad8f0a3da5947581d70dbab0257

Download Submit
\Users\Admin\AppData\Local\Temp\is-44UJJ.tmp\tsetup-x64.4.6.2.tmp

Filesize
3.0MB

MD5
e9e523ee729711ed8a4ecc164af0eb1d

SHA1
6448050c2d615201c541724a3b5ba7a3ef0b839d

SHA256
e068c14cd9fc95477a5d3ca52a0ca4d51aa3817937d2cc46f326d25ea8106e12

SHA512
f40404f90f89d917b2c1a267c8f0e5b4c489ede2ded543091e081319653e17c1293777f1cc80af384e8bf94bc7e79bfd5994a3f5de3dbb6742d4e99fdb1ef8ed

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
33.8MB

MD5
1e9b1639c7d7b6bb6f16a854333ee596

SHA1
b210959a6f957e6d8c2f38d031b7633e2a51efc2

SHA256
b4d1e10bd30e4dc26fa631b2e9572e7508d5434cd2d83d9a92a4e2e223715733

SHA512
326a8cb6752632bb199dd1bd2ab024fae3bb4b418b4ec009025c94c5b239edca984ed1b6ce6412a81c03c6a730b3e7c093b95f9e6ae067335c46564d29685489

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
29.8MB

MD5
37036c10d6421c4e4e27ffd71bc9c296

SHA1
6822f2a679505c173f6249bf0c4085cce4ed0a9c

SHA256
7157f4e86137d1b9a360d9c30620135796cff04464ac0dbfcacb8845df913177

SHA512
6f1f25ffeb0905bfbe3e1b0b4532be8924ba39bc21f81e289a9b59fc5a5a9a6eb62be498fbd4e1ccfc2d7d3970becffa4e09f3978acd828de702393fdd5c387e

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
29.2MB

MD5
feb068dbdff2105679895e81c46d9258

SHA1
b76c1b447e77e33ca883360d89a5b7c0645e6c62

SHA256
c66e934ca3e0d8e867dec388142869e30db770460fbefca6dc1d287c1e4dd212

SHA512
66998db8e6417b25df8cd1ac1b1389fd25027ff51b205bf74ca45d2742ca2434ad332f94fe948577b196250479e8c9e480414b9b24fe0d4dc927a8bc903e43c6

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
29.1MB

MD5
4a6a28a4b9cbfbe6be57fee7fed39159

SHA1
296b4d4a83142262ad9612e230a6b8f23b19206a

SHA256
4a271bef577d1a75b0d97b810b8b0e675b9bcba7d05db1e9ab37dc351832d6ce

SHA512
3b80d7b51a4c646b2362c399317235fb3a19e0c818607891e5051f6b5de9ff79e5748092f7eb433d3fb2eddf4b3ed34dbd4087b91282799721f2832969dfa08b

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
29.1MB

MD5
4a6a28a4b9cbfbe6be57fee7fed39159

SHA1
296b4d4a83142262ad9612e230a6b8f23b19206a

SHA256
4a271bef577d1a75b0d97b810b8b0e675b9bcba7d05db1e9ab37dc351832d6ce

SHA512
3b80d7b51a4c646b2362c399317235fb3a19e0c818607891e5051f6b5de9ff79e5748092f7eb433d3fb2eddf4b3ed34dbd4087b91282799721f2832969dfa08b

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
28.5MB

MD5
b21853d95550bd54824c837f83b71ab0

SHA1
58db5cdd587b0fc2d4a6658e4e8f800df7f599fa

SHA256
f7018eb5d54284f70316683c509c3420f72dba56ff5919b4f89cd836909ed7c1

SHA512
664485102d699f115a0338c5fa7276188e4ea50548435c2a83f8296b8cba16ba78f7ae080f3623df9a54a2407a40f2e9890250a644f139c918d3dfeec6ceb952

Download Submit
\Users\Admin\AppData\Roaming\Telegram Desktop\unins000.exe

Filesize
3.0MB

MD5
b230c6cdbb471dbf06f75c4acf546d4a

SHA1
75058bdad651caabcdac307d901b1d1a970dcf8f

SHA256
afa05a62d57a7e7cc751fec936139a599447a2e2faa49301b8ee678428b62f83

SHA512
4b2b2d80b105d9703e92328fe7efd0b231e5002374c4367f65ff021ff14028d47ba45bf8d31efbbf5054a4ac624bb59a6209b8adb2f8370223fa5cc5e68212d6

Download Submit
memory/760-75-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1420-62-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1420-74-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1420-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1420-57-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1420-55-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1816-79-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/1976-63-0x00000000747B1000-0x00000000747B3000-memory.dmp

Filesize
8KB

Download
memory/1984-81-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download