Analysis
-
max time kernel
177s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 09:20
Behavioral task
behavioral1
Sample
AudioSwitcher.AudioApi.CoreAudio.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
AudioSwitcher.AudioApi.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Sodium.dll
Resource
win10v2004-20240226-en
Errors
General
-
Target
TelegramRAT.exe
-
Size
111KB
-
MD5
8834c1eaf28b3b076df2a0aac5d1148e
-
SHA1
640e70c94c0e01492c4c45cf2b23b65914a94cc5
-
SHA256
49f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a
-
SHA512
59c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561
-
SSDEEP
1536:p+bvqJIP4M91qQIwzUrxxxdKy2nBfUbhDqI6CsQWVzCrAZuDZ6Dd:sbvqJe4MUlxxDrbxqHBQWVzCrAZuDQd
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7005624592:AAFT1GroRFjOnavaa8nJipFR-iCuYT3f2xQ/sendMessage?chat_id=6235796510
Signatures
-
Renames multiple (265) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 1 IoCs
pid Process 4820 rat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1240 schtasks.exe 4052 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5044 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4536 tasklist.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4820 rat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe 4820 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3704 TelegramRAT.exe Token: SeDebugPrivilege 4536 tasklist.exe Token: SeDebugPrivilege 4820 rat.exe Token: SeDebugPrivilege 4820 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4820 rat.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3704 wrote to memory of 1240 3704 TelegramRAT.exe 88 PID 3704 wrote to memory of 1240 3704 TelegramRAT.exe 88 PID 3704 wrote to memory of 1500 3704 TelegramRAT.exe 90 PID 3704 wrote to memory of 1500 3704 TelegramRAT.exe 90 PID 1500 wrote to memory of 4536 1500 cmd.exe 93 PID 1500 wrote to memory of 4536 1500 cmd.exe 93 PID 1500 wrote to memory of 1192 1500 cmd.exe 94 PID 1500 wrote to memory of 1192 1500 cmd.exe 94 PID 1500 wrote to memory of 5044 1500 cmd.exe 95 PID 1500 wrote to memory of 5044 1500 cmd.exe 95 PID 1500 wrote to memory of 4820 1500 cmd.exe 97 PID 1500 wrote to memory of 4820 1500 cmd.exe 97 PID 4820 wrote to memory of 4052 4820 rat.exe 99 PID 4820 wrote to memory of 4052 4820 rat.exe 99 PID 4820 wrote to memory of 1832 4820 rat.exe 105 PID 4820 wrote to memory of 1832 4820 rat.exe 105 PID 1832 wrote to memory of 1892 1832 cmd.exe 107 PID 1832 wrote to memory of 1892 1832 cmd.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"2⤵
- Creates scheduled task(s)
PID:1240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5573.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5573.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3704"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:1192
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:5044
-
-
C:\Users\Admin\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"4⤵
- Creates scheduled task(s)
PID:4052
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c notepad.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\notepad.exenotepad.exe5⤵PID:1892
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a071ad59-d4f9-4b90-809d-9a64b4020cd6}\0.1.filtertrie.intermediate.txt.crypted
Filesize16B
MD5887f00be33e73bc4cc47a364d7948411
SHA14b2cc6e2fb69c0fd73da185f042451f0e9382ed2
SHA256f83849f65975620b5f76b62b0f05cbc7314b98b405be5217cfe40819c4636eda
SHA512ce2a04162f32bcf32f882a868650046c8fe4fb99c2a6c9e2f75f4613783c81873cec116c919b9fb937237e1e655fe2514c375a8595e843b9ff27012aff00939a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a071ad59-d4f9-4b90-809d-9a64b4020cd6}\0.2.filtertrie.intermediate.txt.crypted
Filesize16B
MD5c528b27e87b15675c55d69bf277635fa
SHA1ccd5a9a0bd11aef01cd0fa4afb4a9161c17838fb
SHA256ec0ea706193dd20df0134d39a7d0a4c7b7aded0147823f3189897f270d00fbba
SHA512d063c50ef11b797ce93b4add941ade6772b27db3f4b2948a0dcc2e288b66bd0f3fe3d25cb9fc5796cc20a24622c8d9c258795716874c399d9f52783fa2aee49e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086821031652.txt.crypted
Filesize77KB
MD51eebf84e10169dc740770edc44193e0a
SHA1af56e570ffdee0659e22ced099015ebda9eff1d4
SHA2564bb0223a22fe02648db88fcf3c62849e320e330839c3af03e6c12ad008171b6b
SHA5122007e4d96bfcdaba504cb18354ad6b581f8164ad5eab02bd3fdbb05716ec6d73225da7ec3f16fbe6d089e51cb3e1c660b18cdda5be03bc29d3f382e44035abd6
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092380013040.txt.crypted
Filesize48KB
MD542ade2c7299f8fb4a348b709d76acf4d
SHA100c92c164c5a6a93b67b18a9c5be25c8751f676c
SHA2568207bce99f6c3c62655fe5f95e7ce3e75058d02e14f4dc16ad58cafe8ab6019a
SHA51211c0348ae652c3bbabc9df497d2fa568c2ba33d3e60fdb986acc244156f9f5132e2cad788a1a6b5d50ac933c4c47d3ec50a6c841dcac56bf8938ac85bf78ceb3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095412638284.txt.crypted
Filesize66KB
MD5015fffc0c7b0ecc627aa8582bf2bd7bc
SHA1e261906333cb8929db64ea4ce29df8033695b1f6
SHA256dc57145cd03b530555dcb0e7b0cec173df8ba4077d4ef27ee8c553faa65ebeef
SHA512f2605e6f4e7795f002f6f97fe52d4dede5b307e53a4d8614dedfeb8e9dc7c25482c50c56ca1b288bbb5ac1c1eed73a6b92dbf9d87be26293b782521a85f35fa8
-
Filesize
185B
MD5e7684450c45794366a5f04f838339e08
SHA1147c67918e3a0fd95df150b6b03f688da11d5fa2
SHA256992480cd533e14ab7b7bd3987114896ebdba97d77dd21a9ca46d52336f16c29f
SHA512d073fc3d33ea5dab0caa581daaa4124b4c3824168fcd7ac487209050793cc426ff0ce09c1aac72c88aa3653e944c1c580511100ce333d32c1c71b4e1ea3848a3
-
Filesize
111KB
MD58834c1eaf28b3b076df2a0aac5d1148e
SHA1640e70c94c0e01492c4c45cf2b23b65914a94cc5
SHA25649f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a
SHA51259c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561