0fa222fb1c108d47b8d3e7c54753774d5f5098b462c5231a64031a574509a6f3 | Triage

Resubmissions

10/04/2024, 02:22

240410-ctrd1sfc4s 7

10/04/2024, 02:22

240410-ctq39afc31 7

10/04/2024, 02:22

240410-ctpv7abh78 7

10/04/2024, 02:22

240410-ctnywsbh76 7

13/05/2023, 09:04

230513-k1k5ksfh55 7

Analysis

max time kernel
40s
max time network
1204s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10/04/2024, 02:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

quick_telegram_sender.exe
Size

418KB
MD5

0010d6181a1834c89562503bb2b30924
SHA1

a9a3b1422ba13b36756c1ec5725402beb703047a
SHA256

0fa222fb1c108d47b8d3e7c54753774d5f5098b462c5231a64031a574509a6f3
SHA512

99c682d478ba735eb8bd070877863a188ff2be5448b6806be15c0b1d6c9fe15d0ab40c53387d658a0d02a63e982a664f2788f00ee355dc3653c1fc499184cbf1
SSDEEP

6144:1QwbzMWa3UnvU6dJm/tB9+nNm1GTeh9bU9H/DNA460Jyx0c:exUc6d0v9mNTTe09fRA/0

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4396	quick_telegram_sender.exe
5108	tor.exe
488	quick_telegram_sender.exe
2860	tor.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

Email Collection

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	quick_telegram_sender.exe
Key opened	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	quick_telegram_sender.exe
Key opened	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	quick_telegram_sender.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2980	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

pid	Process
2264	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4396	quick_telegram_sender.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	quick_telegram_sender.exe
Token: SeDebugPrivilege	4396	quick_telegram_sender.exe
Token: SeDebugPrivilege	488	quick_telegram_sender.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2868	2828	quick_telegram_sender.exe	81
PID 2828 wrote to memory of 2868	2828	quick_telegram_sender.exe	81
PID 2868 wrote to memory of 1552	2868	cmd.exe	83
PID 2868 wrote to memory of 1552	2868	cmd.exe	83
PID 2868 wrote to memory of 2264	2868	cmd.exe	84
PID 2868 wrote to memory of 2264	2868	cmd.exe	84
PID 2868 wrote to memory of 2980	2868	cmd.exe	85
PID 2868 wrote to memory of 2980	2868	cmd.exe	85
PID 2868 wrote to memory of 4396	2868	cmd.exe	86
PID 2868 wrote to memory of 4396	2868	cmd.exe	86
PID 4396 wrote to memory of 864	4396	quick_telegram_sender.exe	87
PID 4396 wrote to memory of 864	4396	quick_telegram_sender.exe	87
PID 4396 wrote to memory of 5108	4396	quick_telegram_sender.exe	89
PID 4396 wrote to memory of 5108	4396	quick_telegram_sender.exe	89
PID 488 wrote to memory of 2860	488	quick_telegram_sender.exe	92
PID 488 wrote to memory of 2860	488	quick_telegram_sender.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	quick_telegram_sender.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	quick_telegram_sender.exe

C:\Users\Admin\AppData\Local\Temp\quick_telegram_sender.exe
"C:\Users\Admin\AppData\Local\Temp\quick_telegram_sender.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "quick_telegram_sender" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Team Viewer\quick_telegram_sender.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\quick_telegram_sender.exe" &&START "" "C:\Users\Admin\AppData\Local\Team Viewer\quick_telegram_sender.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1552
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2264
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "quick_telegram_sender" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Team Viewer\quick_telegram_sender.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2980
- - C:\Users\Admin\AppData\Local\Team Viewer\quick_telegram_sender.exe
    "C:\Users\Admin\AppData\Local\Team Viewer\quick_telegram_sender.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:4396
  - - C:\Windows\System32\tar.exe
      "C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpA0D4.tmp" -C "C:\Users\Admin\AppData\Local\29q4n45sgg"
      4⤵
      PID:864
  - - C:\Users\Admin\AppData\Local\29q4n45sgg\tor\tor.exe
      "C:\Users\Admin\AppData\Local\29q4n45sgg\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\29q4n45sgg\torrc.txt"
      4⤵
      Executes dropped EXE
      PID:5108

C:\Users\Admin\AppData\Local\Team Viewer\quick_telegram_sender.exe
"C:\Users\Admin\AppData\Local\Team Viewer\quick_telegram_sender.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488
- C:\Users\Admin\AppData\Local\29q4n45sgg\tor\tor.exe
  "C:\Users\Admin\AppData\Local\29q4n45sgg\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\29q4n45sgg\torrc.txt"
  2⤵
  - Executes dropped EXE
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\29q4n45sgg\data\cached-microdesc-consensus

Filesize
2.7MB

MD5
a0db8a87f7b723266c8b04255da46b06

SHA1
4df00ea56d22d88f3d2e005ef66bad5b3ef92ebf

SHA256
60b43cdce0f807f7891521f396f53def34a7d98986dbde0faa2a197189c587f3

SHA512
41b8fc467d11af7ca6a42c7e94d1b8295ab3ae5d6d186b4f378e6e079440520e8324b695da1134beb2bc1697d2491edcc70c1b75ab6fc66b9c1cb2ecbcdb4a7d

Download Submit
C:\Users\Admin\AppData\Local\29q4n45sgg\data\cached-microdescs.new

Filesize
9.9MB

MD5
f1bc673fce3ee9b8ec7f5b6856e49b16

SHA1
cc1e40a1b884b95e1e7729cd60f78a31fa209930

SHA256
d3a38797fbde4004b41b5e5c141f472c08b51d190cf30b54bba1d93acbc9aebf

SHA512
de748bd741c9c8e62e8c5f485916e812dec6a116997412e206823e882a34ffed1d13f6dee95c780013a7171c33b0e52562783a9ef4f4a67e99b1d473a983fa1a

Download Submit
C:\Users\Admin\AppData\Local\29q4n45sgg\host\hostname

Filesize
64B

MD5
3f079417883edd80d8a11b4465c56922

SHA1
e909b75c7cf98f59cf53b34edda205f8cdeefc3d

SHA256
1864a16b642e20da0a19558f8aa5e380e051649a2a2ec573d01539021a8bec19

SHA512
16ed7fbf2212398ac66cd227a7f3d1dc556d539cb1432cb7f7aa6e32d213c885f4af7769081a64466716df704575c61eb73cab7071a10c08d79d9f0f4750b73f

Download Submit
C:\Users\Admin\AppData\Local\29q4n45sgg\port.dat

Filesize
4B

MD5
81bc798a42a7ce40810bf523f24deee1

SHA1
2eb42f6f5aa9b4fee8a34200d60567a93cbc72ce

SHA256
1cc4c660d80f3452841386109deeaffe554f4fd47a5409f614bd6c1b53c78c65

SHA512
ed786180ac7491f2c13a7e6453fd329fc53659f4f454bfb704b12da7617bb94461d78c12ff7a1cdd0255815ea189684344efabd86304146c98a9650257c89b9c

Download Submit
C:\Users\Admin\AppData\Local\29q4n45sgg\tor\tor.exe

Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\29q4n45sgg\torrc.txt

Filesize
218B

MD5
47fcfd3b5d01d2ddae5146d0d3fcf4db

SHA1
836eb164771f8d5f17cc8f0623ab16d39bca6b39

SHA256
18b479270d5306636a67eb78093123488b3b97c57111cd31464209424d0fe6a3

SHA512
592c61fcf9afdf3e5f2c35c506c8797a54273efc10ac3b85ec512b52d8b532dd18b02c7e91738eb0527d3ad40a4f6511924bfb184cc2e293c699526a6dd24c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\quick_telegram_sender.exe.log

Filesize
1KB

MD5
081b644082c51f2ff0f00087877003b5

SHA1
2eeb0a8a592e5327873f5a6704031c1ff6d0bd31

SHA256
cc427c714517dd0a3c96354869ce1bb300bf4935006fc628ceb28e2f040197ac

SHA512
95621587e55a5f5111aea05cadbaf56429adde2de0c41c9de8e74c03d31116edf72b63d76f65af45e4b14b68fe214926425581f77113d332eb91b0b6a5598eff

Download Submit
C:\Users\Admin\AppData\Local\Team Viewer\quick_telegram_sender.exe

Filesize
418KB

MD5
0010d6181a1834c89562503bb2b30924

SHA1
a9a3b1422ba13b36756c1ec5725402beb703047a

SHA256
0fa222fb1c108d47b8d3e7c54753774d5f5098b462c5231a64031a574509a6f3

SHA512
99c682d478ba735eb8bd070877863a188ff2be5448b6806be15c0b1d6c9fe15d0ab40c53387d658a0d02a63e982a664f2788f00ee355dc3653c1fc499184cbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0D4.tmp

Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
memory/488-75-0x00007FFC7D2F0000-0x00007FFC7DDB2000-memory.dmp

Filesize
10.8MB

Download
memory/488-76-0x0000026F65BC0000-0x0000026F65BD0000-memory.dmp

Filesize
64KB

Download
memory/2828-0-0x000001B093670000-0x000001B0936DE000-memory.dmp

Filesize
440KB

Download
memory/2828-6-0x00007FFC7D680000-0x00007FFC7E142000-memory.dmp

Filesize
10.8MB

Download
memory/2828-2-0x000001B0954C0000-0x000001B0954D0000-memory.dmp

Filesize
64KB

Download
memory/2828-1-0x00007FFC7D680000-0x00007FFC7E142000-memory.dmp

Filesize
10.8MB

Download
memory/4396-12-0x00000297A1810000-0x00000297A1820000-memory.dmp

Filesize
64KB

Download
memory/4396-11-0x00007FFC7D2F0000-0x00007FFC7DDB2000-memory.dmp

Filesize
10.8MB

Download
memory/4396-68-0x00007FFC7D2F0000-0x00007FFC7DDB2000-memory.dmp

Filesize
10.8MB

Download
memory/4396-73-0x00000297A1810000-0x00000297A1820000-memory.dmp

Filesize
64KB

Download