Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
Telescribe.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Telescribe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
General
-
Target
Telescribe.exe
-
Size
1.3MB
-
MD5
ee518fda96d7cb89bad8783aeab7e6fa
-
SHA1
5dced89b75ece47f8e8c0b19082ed97448f83964
-
SHA256
cd25f94f8e22e1ca4f4bb2f65a4d904aaa01b57445284b1cf5ea9572873d2b4a
-
SHA512
b92c661cc02640f4cbc1641b78005d84d176305af07caa92cb26441b0fcb831c31c79db7b5af69d2e331bf5ea1d28f9aa790fc7127cb58fae2224b111275f13b
-
SSDEEP
24576:d9Q0lIVTRJLpdCW9zTIvwS60x6Hcy/U77VaaG8uosbrDqa1VHWTcSdmWDxbLn/oY:rQ0lsRdpdBTIYS6VDM77YoOrDX1l2xbv
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
Telescribe.exepid process 3032 Telescribe.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Telescribe.exepid process 2412 Telescribe.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Telescribe.exeTelescribe.exepid process 3032 Telescribe.exe 2412 Telescribe.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Telescribe.exeTelescribe.exewrite.exedescription pid process target process PID 3032 set thread context of 2412 3032 Telescribe.exe Telescribe.exe PID 2412 set thread context of 1192 2412 Telescribe.exe Explorer.EXE PID 2412 set thread context of 2792 2412 Telescribe.exe write.exe PID 2792 set thread context of 1192 2792 write.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
Telescribe.exedescription ioc process File opened for modification C:\Program Files (x86)\konvoluterer\Forsikringsinspektrer.ini Telescribe.exe -
Drops file in Windows directory 1 IoCs
Processes:
Telescribe.exedescription ioc process File opened for modification C:\Windows\mycelian\sempitern.ini Telescribe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Telescribe.exewrite.exepid process 2412 Telescribe.exe 2412 Telescribe.exe 2412 Telescribe.exe 2412 Telescribe.exe 2412 Telescribe.exe 2412 Telescribe.exe 2412 Telescribe.exe 2412 Telescribe.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe 2792 write.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Telescribe.exeTelescribe.exewrite.exepid process 3032 Telescribe.exe 2412 Telescribe.exe 2412 Telescribe.exe 2792 write.exe 2792 write.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Telescribe.exeTelescribe.exedescription pid process target process PID 3032 wrote to memory of 2412 3032 Telescribe.exe Telescribe.exe PID 3032 wrote to memory of 2412 3032 Telescribe.exe Telescribe.exe PID 3032 wrote to memory of 2412 3032 Telescribe.exe Telescribe.exe PID 3032 wrote to memory of 2412 3032 Telescribe.exe Telescribe.exe PID 3032 wrote to memory of 2412 3032 Telescribe.exe Telescribe.exe PID 3032 wrote to memory of 2412 3032 Telescribe.exe Telescribe.exe PID 2412 wrote to memory of 2792 2412 Telescribe.exe write.exe PID 2412 wrote to memory of 2792 2412 Telescribe.exe write.exe PID 2412 wrote to memory of 2792 2412 Telescribe.exe write.exe PID 2412 wrote to memory of 2792 2412 Telescribe.exe write.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Telescribe.exe"C:\Users\Admin\AppData\Local\Temp\Telescribe.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Telescribe.exe"C:\Users\Admin\AppData\Local\Temp\Telescribe.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\write.exe"C:\Windows\SysWOW64\write.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy21A6.tmp\System.dllFilesize
11KB
MD5b8992e497d57001ddf100f9c397fcef5
SHA1e26ddf101a2ec5027975d2909306457c6f61cfbd
SHA25698bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
SHA5128823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c
-
memory/2412-64-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/2412-74-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/2412-37-0x00000000771A0000-0x0000000077349000-memory.dmpFilesize
1.7MB
-
memory/2412-36-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/2412-43-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/2412-62-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/2412-70-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/2792-75-0x00000000000F0000-0x000000000012F000-memory.dmpFilesize
252KB
-
memory/2792-72-0x00000000000F0000-0x000000000012F000-memory.dmpFilesize
252KB
-
memory/3032-38-0x00000000037B0000-0x00000000057D1000-memory.dmpFilesize
32.1MB
-
memory/3032-63-0x00000000037B0000-0x00000000057D1000-memory.dmpFilesize
32.1MB
-
memory/3032-35-0x00000000771A0000-0x0000000077349000-memory.dmpFilesize
1.7MB
-
memory/3032-34-0x00000000771A1000-0x00000000772A2000-memory.dmpFilesize
1.0MB
-
memory/3032-33-0x00000000037B0000-0x00000000057D1000-memory.dmpFilesize
32.1MB