b4b0da2cdb7ab81095f251f66e71421765a60d0255dc5087959218578d2ecd07

Resubmissions

24/09/2023, 11:35

230924-nqd53afe82 7

24/09/2023, 11:32

230924-nnfwwadh9s 7

Analysis

max time kernel
168s
max time network
134s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
24/09/2023, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TelamonCleaner_id65101d86a479eog.exe
Size

2.4MB
MD5

aced6b3c9627848f1f20c76d205873a5
SHA1

4e9f8d334a645b5a68fb7c39203c82cf0341a2b6
SHA256

b4b0da2cdb7ab81095f251f66e71421765a60d0255dc5087959218578d2ecd07
SHA512

fff4ea2a7f6e926d543674481b798bac482d1f77a8fc23ade1405ea24b34ec7a0200eaa2b8e4389b91e87d2fa75c55c7f2f3a74ad06fc6ed18b12dc4709d721e
SSDEEP

49152:YBuZrEUDBJZDvXdwmfbFsWgOEPrSgmKvrjr:GkLD1/FsWgznxvrn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
804	TelamonCleaner_id65101d86a479eog.tmp
820	tt-installer-helper.exe
612	tt-installer-helper.exe

Loads dropped DLL 4 IoCs

pid	Process
1400	TelamonCleaner_id65101d86a479eog.exe
804	TelamonCleaner_id65101d86a479eog.tmp
1952	cmd.exe
2760	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
804	TelamonCleaner_id65101d86a479eog.tmp

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 804	1400	TelamonCleaner_id65101d86a479eog.exe	27
PID 1400 wrote to memory of 804	1400	TelamonCleaner_id65101d86a479eog.exe	27
PID 1400 wrote to memory of 804	1400	TelamonCleaner_id65101d86a479eog.exe	27
PID 1400 wrote to memory of 804	1400	TelamonCleaner_id65101d86a479eog.exe	27
PID 1400 wrote to memory of 804	1400	TelamonCleaner_id65101d86a479eog.exe	27
PID 1400 wrote to memory of 804	1400	TelamonCleaner_id65101d86a479eog.exe	27
PID 1400 wrote to memory of 804	1400	TelamonCleaner_id65101d86a479eog.exe	27
PID 804 wrote to memory of 1952	804	TelamonCleaner_id65101d86a479eog.tmp	28
PID 804 wrote to memory of 1952	804	TelamonCleaner_id65101d86a479eog.tmp	28
PID 804 wrote to memory of 1952	804	TelamonCleaner_id65101d86a479eog.tmp	28
PID 804 wrote to memory of 1952	804	TelamonCleaner_id65101d86a479eog.tmp	28
PID 1952 wrote to memory of 820	1952	cmd.exe	31
PID 1952 wrote to memory of 820	1952	cmd.exe	31
PID 1952 wrote to memory of 820	1952	cmd.exe	31
PID 1952 wrote to memory of 820	1952	cmd.exe	31
PID 1952 wrote to memory of 820	1952	cmd.exe	31
PID 1952 wrote to memory of 820	1952	cmd.exe	31
PID 1952 wrote to memory of 820	1952	cmd.exe	31
PID 804 wrote to memory of 2760	804	TelamonCleaner_id65101d86a479eog.tmp	32
PID 804 wrote to memory of 2760	804	TelamonCleaner_id65101d86a479eog.tmp	32
PID 804 wrote to memory of 2760	804	TelamonCleaner_id65101d86a479eog.tmp	32
PID 804 wrote to memory of 2760	804	TelamonCleaner_id65101d86a479eog.tmp	32
PID 2760 wrote to memory of 612	2760	cmd.exe	35
PID 2760 wrote to memory of 612	2760	cmd.exe	35
PID 2760 wrote to memory of 612	2760	cmd.exe	35
PID 2760 wrote to memory of 612	2760	cmd.exe	35
PID 2760 wrote to memory of 612	2760	cmd.exe	35
PID 2760 wrote to memory of 612	2760	cmd.exe	35
PID 2760 wrote to memory of 612	2760	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id65101d86a479eog.exe
"C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id65101d86a479eog.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\is-QD8UG.tmp\TelamonCleaner_id65101d86a479eog.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QD8UG.tmp\TelamonCleaner_id65101d86a479eog.tmp" /SL5="$6017A,1575658,918016,C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id65101d86a479eog.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\~execwithresult.txt""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe" --getuid
      4⤵
      Executes dropped EXE
      PID:820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id65101d86a479eog.exe > "C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\~execwithresult.txt""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id65101d86a479eog.exe
      4⤵
      Executes dropped EXE
      PID:612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe

Filesize
595KB

MD5
8c584765972d14ef167f71a701159359

SHA1
c857e7af03f31d24dd8c38e16ba46bbd0f3377fd

SHA256
30c27e256b84348e2b97d5b65a85139af9dfff00713e4d55b103f411a51a62d1

SHA512
988b524f81aceb05786cf96cc84b804f5a9c0ab9d9100f2c822ec9e8fa8eb385ccedf1bedab57ba8b031b79e26c96ae3c7b00d623b4918db40c274f66104f48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe

Filesize
595KB

MD5
8c584765972d14ef167f71a701159359

SHA1
c857e7af03f31d24dd8c38e16ba46bbd0f3377fd

SHA256
30c27e256b84348e2b97d5b65a85139af9dfff00713e4d55b103f411a51a62d1

SHA512
988b524f81aceb05786cf96cc84b804f5a9c0ab9d9100f2c822ec9e8fa8eb385ccedf1bedab57ba8b031b79e26c96ae3c7b00d623b4918db40c274f66104f48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe

Filesize
595KB

MD5
8c584765972d14ef167f71a701159359

SHA1
c857e7af03f31d24dd8c38e16ba46bbd0f3377fd

SHA256
30c27e256b84348e2b97d5b65a85139af9dfff00713e4d55b103f411a51a62d1

SHA512
988b524f81aceb05786cf96cc84b804f5a9c0ab9d9100f2c822ec9e8fa8eb385ccedf1bedab57ba8b031b79e26c96ae3c7b00d623b4918db40c274f66104f48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\~execwithresult.txt

Filesize
77B

MD5
9a9fb68db34e7b4bb7b0cba8522aded7

SHA1
2e9d82adc754c5b738da5ee87372d8c8e6011b60

SHA256
712d5b45261710c92f0eabfa5c43e27fc8ebafb36d08ccce87d9093890d4e45f

SHA512
b9b7e2aa167818429e7b50fa2478c3918960428131f9e1e5768e3e325fdbeb7bc101602d6529b66c6938107073fcf75456d4bb59f2b6e0864e11e610bfd9bec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QD8UG.tmp\TelamonCleaner_id65101d86a479eog.tmp

Filesize
3.1MB

MD5
fc1d3c0460f3bd018216180cff8a04df

SHA1
440088b9fee86f832c58c487409b4140f4b87935

SHA256
093dd2ca93731a7c4b2bd777a0a0064c0d6e95eafbd1ec5b6143a3f932a0cb82

SHA512
79a4a0b5ed166d353682cc55fa597013234dea019230eccd0f7e04a5bd43d6fc02ae69d3e882ebd122055487c21fb1a4b74c31c64c94b2cdc62a1e2ae7a5837a

Download Submit
\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe

Filesize
595KB

MD5
8c584765972d14ef167f71a701159359

SHA1
c857e7af03f31d24dd8c38e16ba46bbd0f3377fd

SHA256
30c27e256b84348e2b97d5b65a85139af9dfff00713e4d55b103f411a51a62d1

SHA512
988b524f81aceb05786cf96cc84b804f5a9c0ab9d9100f2c822ec9e8fa8eb385ccedf1bedab57ba8b031b79e26c96ae3c7b00d623b4918db40c274f66104f48c

Download Submit
\Users\Admin\AppData\Local\Temp\is-D01H3.tmp\tt-installer-helper.exe

Filesize
595KB

MD5
8c584765972d14ef167f71a701159359

SHA1
c857e7af03f31d24dd8c38e16ba46bbd0f3377fd

SHA256
30c27e256b84348e2b97d5b65a85139af9dfff00713e4d55b103f411a51a62d1

SHA512
988b524f81aceb05786cf96cc84b804f5a9c0ab9d9100f2c822ec9e8fa8eb385ccedf1bedab57ba8b031b79e26c96ae3c7b00d623b4918db40c274f66104f48c

Download Submit
\Users\Admin\AppData\Local\Temp\is-QD8UG.tmp\TelamonCleaner_id65101d86a479eog.tmp

Filesize
3.1MB

MD5
fc1d3c0460f3bd018216180cff8a04df

SHA1
440088b9fee86f832c58c487409b4140f4b87935

SHA256
093dd2ca93731a7c4b2bd777a0a0064c0d6e95eafbd1ec5b6143a3f932a0cb82

SHA512
79a4a0b5ed166d353682cc55fa597013234dea019230eccd0f7e04a5bd43d6fc02ae69d3e882ebd122055487c21fb1a4b74c31c64c94b2cdc62a1e2ae7a5837a

Download Submit
memory/804-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/804-22-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/804-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1400-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1400-21-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download