Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Telescribe.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Telescribe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
General
-
Target
Telescribe.exe
-
Size
1.3MB
-
MD5
ee518fda96d7cb89bad8783aeab7e6fa
-
SHA1
5dced89b75ece47f8e8c0b19082ed97448f83964
-
SHA256
cd25f94f8e22e1ca4f4bb2f65a4d904aaa01b57445284b1cf5ea9572873d2b4a
-
SHA512
b92c661cc02640f4cbc1641b78005d84d176305af07caa92cb26441b0fcb831c31c79db7b5af69d2e331bf5ea1d28f9aa790fc7127cb58fae2224b111275f13b
-
SSDEEP
24576:d9Q0lIVTRJLpdCW9zTIvwS60x6Hcy/U77VaaG8uosbrDqa1VHWTcSdmWDxbLn/oY:rQ0lsRdpdBTIYS6VDM77YoOrDX1l2xbv
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
Telescribe.exepid process 3592 Telescribe.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Telescribe.exepid process 2216 Telescribe.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Telescribe.exeTelescribe.exepid process 3592 Telescribe.exe 2216 Telescribe.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
Telescribe.exeTelescribe.exewrite.exedescription pid process target process PID 3592 set thread context of 2216 3592 Telescribe.exe Telescribe.exe PID 2216 set thread context of 3476 2216 Telescribe.exe Explorer.EXE PID 2216 set thread context of 4312 2216 Telescribe.exe write.exe PID 4312 set thread context of 3476 4312 write.exe Explorer.EXE PID 4312 set thread context of 3996 4312 write.exe Firefox.exe -
Drops file in Program Files directory 1 IoCs
Processes:
Telescribe.exedescription ioc process File opened for modification C:\Program Files (x86)\konvoluterer\Forsikringsinspektrer.ini Telescribe.exe -
Drops file in Windows directory 1 IoCs
Processes:
Telescribe.exedescription ioc process File opened for modification C:\Windows\mycelian\sempitern.ini Telescribe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
write.exedescription ioc process Key created \Registry\User\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 write.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
Telescribe.exewrite.exepid process 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Telescribe.exeTelescribe.exewrite.exepid process 3592 Telescribe.exe 2216 Telescribe.exe 2216 Telescribe.exe 4312 write.exe 4312 write.exe 4312 write.exe 4312 write.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3476 Explorer.EXE Token: SeCreatePagefilePrivilege 3476 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3476 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Telescribe.exeTelescribe.exewrite.exedescription pid process target process PID 3592 wrote to memory of 2216 3592 Telescribe.exe Telescribe.exe PID 3592 wrote to memory of 2216 3592 Telescribe.exe Telescribe.exe PID 3592 wrote to memory of 2216 3592 Telescribe.exe Telescribe.exe PID 3592 wrote to memory of 2216 3592 Telescribe.exe Telescribe.exe PID 3592 wrote to memory of 2216 3592 Telescribe.exe Telescribe.exe PID 2216 wrote to memory of 4312 2216 Telescribe.exe write.exe PID 2216 wrote to memory of 4312 2216 Telescribe.exe write.exe PID 2216 wrote to memory of 4312 2216 Telescribe.exe write.exe PID 4312 wrote to memory of 3996 4312 write.exe Firefox.exe PID 4312 wrote to memory of 3996 4312 write.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\Telescribe.exe"C:\Users\Admin\AppData\Local\Temp\Telescribe.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\Telescribe.exe"C:\Users\Admin\AppData\Local\Temp\Telescribe.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\write.exe"C:\Windows\SysWOW64\write.exe"4⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵PID:3996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:81⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5b8992e497d57001ddf100f9c397fcef5
SHA1e26ddf101a2ec5027975d2909306457c6f61cfbd
SHA25698bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
SHA5128823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c