41e35a37efd5ce9ac81cc05feb376e40191cdcaa317111b8eef6d3cad5a11869

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Telegram/Telegram.exe
Size

149.4MB
MD5

40889af6437bb9ea7ceca2a61a7d3c31
SHA1

e7dc3b4983cc2a52da58de103027961492bc6ecf
SHA256

bae14c635b6142009654570c001db2cf27bbf641fb294611a0c4ae490290ab53
SHA512

d0f2f9f54a8cae72bc3fc802e785959b49c7f957a5f11f172a445c7189e44f783970ffb4748b86a0b71c750bb2bd0965230361d57a62e0786f3989da3727ee27
SSDEEP

786432:3xmWnhoXQ5Y91k9uH171xqMBLvbMDNj1o1fDtH73FC7KKE9AMqzNw:3nnhog+91k9wljBLQJJo1fDtjFUycNw

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tdesktop.tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tg\ = "URL:Telegram Link"	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tdesktop.tg\shell\open	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Telegram\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tg\shell	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Telegram\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tdesktop.tg\shell	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Telegram\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tg\URL Protocol	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Telegram\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\tdesktop.tg	Telegram.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
928	Telegram.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
928	Telegram.exe
928	Telegram.exe
928	Telegram.exe
928	Telegram.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
928	Telegram.exe
928	Telegram.exe
928	Telegram.exe
928	Telegram.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
928	Telegram.exe

C:\Users\Admin\AppData\Local\Temp\Telegram\Telegram.exe
"C:\Users\Admin\AppData\Local\Temp\Telegram\Telegram.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Telegram\log_start0.txt

Filesize
1KB

MD5
c051cb7f53885ffe5d9722206422821b

SHA1
3c17331b30f7a8578e3370a7dfdb4885a6830374

SHA256
20b0ee55f5f76cac29744f8c81a1d7656aec92c54ec30ce99a2996da80b4138a

SHA512
c1545c4424369483bcf8c024563e0a04b6e29d5263f0a35de53f00288246a59497670e468911edf3585ef508d872927db9f0809d42ae9eec0436f00045269f39

Download Submit