b4b0da2cdb7ab81095f251f66e71421765a60d0255dc5087959218578d2ecd07

Analysis

max time kernel
1791s
max time network
1558s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TelamonCleaner_id659307bbc6fd1f2.exe
Size

2.4MB
MD5

aced6b3c9627848f1f20c76d205873a5
SHA1

4e9f8d334a645b5a68fb7c39203c82cf0341a2b6
SHA256

b4b0da2cdb7ab81095f251f66e71421765a60d0255dc5087959218578d2ecd07
SHA512

fff4ea2a7f6e926d543674481b798bac482d1f77a8fc23ade1405ea24b34ec7a0200eaa2b8e4389b91e87d2fa75c55c7f2f3a74ad06fc6ed18b12dc4709d721e
SSDEEP

49152:YBuZrEUDBJZDvXdwmfbFsWgOEPrSgmKvrjr:GkLD1/FsWgznxvrn

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2240	TelamonCleaner_id659307bbc6fd1f2.tmp
2696	tt-installer-helper.exe
2128	tt-installer-helper.exe

Loads dropped DLL 4 IoCs

pid	Process
2268	TelamonCleaner_id659307bbc6fd1f2.exe
2240	TelamonCleaner_id659307bbc6fd1f2.tmp
2808	cmd.exe
1972	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2240	TelamonCleaner_id659307bbc6fd1f2.tmp

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2240	2268	TelamonCleaner_id659307bbc6fd1f2.exe	28
PID 2268 wrote to memory of 2240	2268	TelamonCleaner_id659307bbc6fd1f2.exe	28
PID 2268 wrote to memory of 2240	2268	TelamonCleaner_id659307bbc6fd1f2.exe	28
PID 2268 wrote to memory of 2240	2268	TelamonCleaner_id659307bbc6fd1f2.exe	28
PID 2268 wrote to memory of 2240	2268	TelamonCleaner_id659307bbc6fd1f2.exe	28
PID 2268 wrote to memory of 2240	2268	TelamonCleaner_id659307bbc6fd1f2.exe	28
PID 2268 wrote to memory of 2240	2268	TelamonCleaner_id659307bbc6fd1f2.exe	28
PID 2240 wrote to memory of 2808	2240	TelamonCleaner_id659307bbc6fd1f2.tmp	29
PID 2240 wrote to memory of 2808	2240	TelamonCleaner_id659307bbc6fd1f2.tmp	29
PID 2240 wrote to memory of 2808	2240	TelamonCleaner_id659307bbc6fd1f2.tmp	29
PID 2240 wrote to memory of 2808	2240	TelamonCleaner_id659307bbc6fd1f2.tmp	29
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2240 wrote to memory of 1972	2240	TelamonCleaner_id659307bbc6fd1f2.tmp	33
PID 2240 wrote to memory of 1972	2240	TelamonCleaner_id659307bbc6fd1f2.tmp	33
PID 2240 wrote to memory of 1972	2240	TelamonCleaner_id659307bbc6fd1f2.tmp	33
PID 2240 wrote to memory of 1972	2240	TelamonCleaner_id659307bbc6fd1f2.tmp	33
PID 1972 wrote to memory of 2128	1972	cmd.exe	34
PID 1972 wrote to memory of 2128	1972	cmd.exe	34
PID 1972 wrote to memory of 2128	1972	cmd.exe	34
PID 1972 wrote to memory of 2128	1972	cmd.exe	34
PID 1972 wrote to memory of 2128	1972	cmd.exe	34
PID 1972 wrote to memory of 2128	1972	cmd.exe	34
PID 1972 wrote to memory of 2128	1972	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id659307bbc6fd1f2.exe
"C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id659307bbc6fd1f2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\is-JATVF.tmp\TelamonCleaner_id659307bbc6fd1f2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JATVF.tmp\TelamonCleaner_id659307bbc6fd1f2.tmp" /SL5="$6014E,1575658,918016,C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id659307bbc6fd1f2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-G898L.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-G898L.tmp\~execwithresult.txt""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\is-G898L.tmp\tt-installer-helper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-G898L.tmp\tt-installer-helper.exe" --getuid
      4⤵
      Executes dropped EXE
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-G898L.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id659307bbc6fd1f2.exe > "C:\Users\Admin\AppData\Local\Temp\is-G898L.tmp\~execwithresult.txt""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\is-G898L.tmp\tt-installer-helper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-G898L.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id659307bbc6fd1f2.exe
      4⤵
      Executes dropped EXE
      PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-G898L.tmp\~execwithresult.txt

Filesize
77B

MD5
6f0b8cdd02c3a4b4a56c678d2e731efc

SHA1
14330aa62769ead2f11d4067c605b2010cf45de6

SHA256
e24f05d58c6463a4e358dc4f3fb8608c0923456c2da6c6e9ddae5d2e78606d28

SHA512
412f64c901eae7f9f58654083e7473374d4f2847c8a2fcb09144ce528a92130964f6bd958c889ee3a74092498defb05fa61523fcc878b5bf1091826aad01754f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JATVF.tmp\TelamonCleaner_id659307bbc6fd1f2.tmp

Filesize
1.2MB

MD5
72ed554b6207314ad728b3f707bf69fa

SHA1
16d21166d588386fa1a4eeacaba1e0564b5a602c

SHA256
4b5a86512e0c880cc344d95f941f2eaa484f318d5a000aefa254e3982a29c978

SHA512
d31e95be004044f07f3d85300cf5160534b5e58ea94aba95e571374d29506cddea7156a87f8b0b66c035f4daa5b2a0fa0f8ac2f24993898324b8d34b00323437

Download Submit
\Users\Admin\AppData\Local\Temp\is-G898L.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
\Users\Admin\AppData\Local\Temp\is-G898L.tmp\tt-installer-helper.exe

Filesize
595KB

MD5
8c584765972d14ef167f71a701159359

SHA1
c857e7af03f31d24dd8c38e16ba46bbd0f3377fd

SHA256
30c27e256b84348e2b97d5b65a85139af9dfff00713e4d55b103f411a51a62d1

SHA512
988b524f81aceb05786cf96cc84b804f5a9c0ab9d9100f2c822ec9e8fa8eb385ccedf1bedab57ba8b031b79e26c96ae3c7b00d623b4918db40c274f66104f48c

Download Submit
\Users\Admin\AppData\Local\Temp\is-JATVF.tmp\TelamonCleaner_id659307bbc6fd1f2.tmp

Filesize
2.0MB

MD5
ff6ceebe87babf0873037778b5bddb13

SHA1
eb978348a35f2489c1f8f4ad0c9ad21a76afdcec

SHA256
113bfb4016169a2b1f8af5f3bf7a94ec5c4799862ad990bcbc47ac4bb277cb02

SHA512
7f71fec266ee227a9736db44841aa370964908d8d1093d5ed0fada9f5d206a05870a9af1ddd1570017b1a42bd7365c379bf228cf03defed12042de0eedcd0d28

Download Submit
memory/2240-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2240-22-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/2240-25-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2268-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2268-21-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads