aa3f58f228d9d0ef44417c33aa03e3d3c7b3cfde67c0db70a9d21fb8b5cb981c

General

Target

8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe
Size

38.6MB
MD5

b0cce809fe88b73d7532373911c23bd0
SHA1

c50f7fd9bb65dcd350909e367865ebe9bff894ff
SHA256

8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf
SHA512

3ab841cdce17bc666e246fa61065eeda5f8c8d95d93045dac2036e566b8d708dd5119f16640a8dfc2f63d386d7d09ea0bd6b697642f67de5aae47a849daea33f
SSDEEP

786432:yC4PWjsUxcIIKD+0XXeWkePNwmALcekMhu9D+0h7lvWZ3gqL/xR5lQzzLE:yCcUOIIKD+YOWRPNwNTd6+wlvKVL/das

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4908	8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
3456	Telegram.exe

Loads dropped DLL 1 IoCs

pid	Process
3456	Telegram.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{97509A40-DCD6-4F83-9500-9B8FF39CF3A6}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{06D1F97C-8C90-48F4-AE5C-6E3E4607E77E}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A06DA7A3-F34B-445E-8D2E-87C6AB15B49F}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CBAA4597-0059-4D8B-A41B-EF3360D98CBB}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{87F0F882-3AFD-4088-96A8-DDECC74B2757}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{CBBF3439-62E8-4B35-9591-9370B4A2BE90}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D1A8C578-8652-4C7B-9876-FADBCDF54A96}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{456E627B-B858-49D2-ADEB-003EB72E8A4F}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell\open	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\URL Protocol	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\ = "URL:Telegram Link"	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\tg\shell\open\command	Telegram.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3456	Telegram.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4908	8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
4908	8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4908	8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
3456	Telegram.exe
3456	Telegram.exe
3456	Telegram.exe
3456	Telegram.exe
3456	Telegram.exe
3456	Telegram.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3456	Telegram.exe
3456	Telegram.exe
3456	Telegram.exe
3456	Telegram.exe
3456	Telegram.exe
3456	Telegram.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3456	Telegram.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4908	4384	8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe	81
PID 4384 wrote to memory of 4908	4384	8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe	81
PID 4384 wrote to memory of 4908	4384	8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe	81
PID 4908 wrote to memory of 3456	4908	8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp	103
PID 4908 wrote to memory of 3456	4908	8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp	103

C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe
"C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp" /SL5="$9016E,39573139,814592,C:\Users\Admin\AppData\Local\Temp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
    "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

Filesize
3.0MB

MD5
ce3b2ef0b07d1770ddd8fa09a34138de

SHA1
d07d12411d4a95cd26701fe83eb6d90d81103eee

SHA256
22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386

SHA512
02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3O50F.tmp\8525c99383b0acaeed302488b50a36439b71083e851bb28b65a893bf8ed944cf.tmp

Filesize
3.0MB

MD5
ce3b2ef0b07d1770ddd8fa09a34138de

SHA1
d07d12411d4a95cd26701fe83eb6d90d81103eee

SHA256
22e0e4420698350d18a6c02244c5fa1ff2c772eacb9e7019a8f212b479934386

SHA512
02edc78f9b7c8ad01a79243bbc7b51d2b86fb650535d134cc06360519b49ed30241de5cb916ab0624098e2b2b4c94b246e0fcf19e513b4e526100d46db652442

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
127.6MB

MD5
fd8304d231ca5513640145cabf30a301

SHA1
67ad3eaca6099311f4ca0f7d0faee89a94916107

SHA256
4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e

SHA512
7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
127.6MB

MD5
fd8304d231ca5513640145cabf30a301

SHA1
67ad3eaca6099311f4ca0f7d0faee89a94916107

SHA256
4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e

SHA512
7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Filesize
127.6MB

MD5
fd8304d231ca5513640145cabf30a301

SHA1
67ad3eaca6099311f4ca0f7d0faee89a94916107

SHA256
4e061db8b40002e1e6c4c1fe513b1da50c63f639f407e17fc4e8cf4a9ec34e7e

SHA512
7072499b21333880acf41abc1e8eec144ae6957d383dc6921eb97a3e61e8c97faa9037213d2d7fcfc5f3161dd8a33d2cfda81052446ea58b574d001ef497c253

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
62a89e7867d853fee9ad07b7c9d64379

SHA1
944a53602492187308352103d80ff27af1093abf

SHA256
d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

SHA512
7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
62a89e7867d853fee9ad07b7c9d64379

SHA1
944a53602492187308352103d80ff27af1093abf

SHA256
d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

SHA512
7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

Download Submit
memory/3456-192-0x00000165A0160000-0x00000165A0170000-memory.dmp

Filesize
64KB

Download
memory/4384-140-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4384-133-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4384-193-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4908-141-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4908-191-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4908-180-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4908-165-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4908-154-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4908-142-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/4908-138-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing