Analysis
-
max time kernel
7s -
max time network
8s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 11:59
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240704-en
Errors
General
-
Target
TelegramRAT.exe
-
Size
111KB
-
MD5
70e2065cad845ee34e4a39f9b8c963a3
-
SHA1
c4fe48fc7ec3182670a1a6dc9ec26fde32ad653d
-
SHA256
168a57c472350a733ffe154a065b243f0d64faf235004315471785abeb93fe19
-
SHA512
f8bdfae8658f49d4a7a4b83fae078766fbdcfd6438090cc49971e57befc1fe13f22de66cba30b09c6cbf166dce6570a894d11d9985ce9db8a2ad8555d755252f
-
SSDEEP
1536:Y+b6QDWv5IDlOM91qQIwOs0dxv72rEBDG+bhDqI6oQW8zCrAZuhazDy:Pb2IpORLv7ztbxqHoQW8zCrAZuhay
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation dupe.exe -
Executes dropped EXE 1 IoCs
pid Process 536 dupe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4492 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1280 tasklist.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4256 schtasks.exe 3908 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 536 dupe.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 536 dupe.exe 536 dupe.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2536 TelegramRAT.exe Token: SeDebugPrivilege 1280 tasklist.exe Token: SeDebugPrivilege 536 dupe.exe Token: SeDebugPrivilege 536 dupe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 536 dupe.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2536 wrote to memory of 4256 2536 TelegramRAT.exe 90 PID 2536 wrote to memory of 4256 2536 TelegramRAT.exe 90 PID 2536 wrote to memory of 2100 2536 TelegramRAT.exe 92 PID 2536 wrote to memory of 2100 2536 TelegramRAT.exe 92 PID 2100 wrote to memory of 1280 2100 cmd.exe 94 PID 2100 wrote to memory of 1280 2100 cmd.exe 94 PID 2100 wrote to memory of 3388 2100 cmd.exe 95 PID 2100 wrote to memory of 3388 2100 cmd.exe 95 PID 2100 wrote to memory of 4492 2100 cmd.exe 97 PID 2100 wrote to memory of 4492 2100 cmd.exe 97 PID 2100 wrote to memory of 536 2100 cmd.exe 99 PID 2100 wrote to memory of 536 2100 cmd.exe 99 PID 536 wrote to memory of 3908 536 dupe.exe 101 PID 536 wrote to memory of 3908 536 dupe.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4256
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp92DA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp92DA.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2536"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:3388
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:4492
-
-
C:\Users\Public\Downloads\dupe.exe"dupe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:3908
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197B
MD51b8fbe28edfac3831a4f0a6807202c48
SHA17fa61d23307fb743782d16000bfe3844115e52d7
SHA256d6a0e07e181c8db163424082d24df3dd8022c939a247d87fddaa4aae4f966efa
SHA512938d9d557ac75f34571341b32b112a3fc0fcd0f470e19caaa68a339fc28c34e7f1eef12a9d144816ab6fe120d276da11aef1b6666905b061431a05207012c786
-
Filesize
111KB
MD570e2065cad845ee34e4a39f9b8c963a3
SHA1c4fe48fc7ec3182670a1a6dc9ec26fde32ad653d
SHA256168a57c472350a733ffe154a065b243f0d64faf235004315471785abeb93fe19
SHA512f8bdfae8658f49d4a7a4b83fae078766fbdcfd6438090cc49971e57befc1fe13f22de66cba30b09c6cbf166dce6570a894d11d9985ce9db8a2ad8555d755252f