04b6cd2f3048a64bfea4e58c799ed5000235fc64e2fa43db7541723037e85339

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 00:04

Target

Telegram.exe
Size

11.3MB
MD5

0c1f9b00dd0c4f36105ee368e80da86c
SHA1

ae0e681ce9e78898bec4da04018fdab3d1e0b381
SHA256

04b6cd2f3048a64bfea4e58c799ed5000235fc64e2fa43db7541723037e85339
SHA512

99c35f31eae87a20a28024b0736479206a88f46e8f278da38122de39da453c6cb1cf50c3c27ae1b7f5ce24f3ae81361f31476525d4d0fef7af1502e9d2176df0
SSDEEP

196608:zU9lyncmtSLurErvI9pWj+NevvoaYZ41JISItNYsCrlx:g+jtSLurEUWjueHo21JuN3clx

Score

7^/10

upx

Loads dropped DLL 1 IoCs

pid	Process
2800	Telegram.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x0005000000018739-46.dat	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2800	3016	Telegram.exe	28
PID 3016 wrote to memory of 2800	3016	Telegram.exe	28
PID 3016 wrote to memory of 2800	3016	Telegram.exe	28

C:\Users\Admin\AppData\Local\Temp\Telegram.exe
"C:\Users\Admin\AppData\Local\Temp\Telegram.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\Telegram.exe
  "C:\Users\Admin\AppData\Local\Temp\Telegram.exe"
  2⤵
  - Loads dropped DLL
  PID:2800

C:\Users\Admin\AppData\Local\Temp\_MEI30162\python311.dll

Filesize
1.6MB

MD5
476ab587f630eb4f9c21e88a065828b0

SHA1
d563e0d67658861a5c8d462fcfa675a6840b2758

SHA256
7cf19201904e4e7db4e5e44cd92d223fb94ddd43da04a03d11e388bf41686b8b

SHA512
3d67e49a09777e6fab36c37cf3a7c2768382eb1c850638b0064e2b00479f74251bb70290fe62971944344ee88b7803ee1697a374a62c7f7c45a556c820800676

Download Submit
memory/2800-48-0x000007FEF5500000-0x000007FEF5AF0000-memory.dmp

Filesize
5.9MB

Download