Analysis
-
max time kernel
65s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 13:19
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240704-en
General
-
Target
TelegramRAT.exe
-
Size
111KB
-
MD5
3c6f5e7ca1f0279c860554b7b4dfaf5d
-
SHA1
15c4baaa666353eb7dd5d28a76aead8bf14bc352
-
SHA256
f7514a2e0e612b0b4211c4655fedc3a7052578f38f1bfe131e2213102c164e34
-
SHA512
1c8ac972d4ef27ec0f80e850137a8f19c95c72b97f2dede9c4d0caf007709133a5f2e248f6f04bc6e30fbbea742b8f4ae66a4f3408ab0d00ca48c48865947b09
-
SSDEEP
1536:l+b6QDWv5IDlOM91qQIwy3xZxdyyKDWfybhDqI6oQWVzCrAZuW5TDx:Ib2IpOLhZxjQbxqHoQWVzCrAZuWRx
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7074076538:AAGqOb5C3l0YTijTUMFzandCeulk-NFhSz0/sendMessage?chat_id=5623362319
Signatures
-
Deletes itself 1 IoCs
pid Process 3048 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2704 dupe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2712 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2780 tasklist.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2688 schtasks.exe 2220 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2704 dupe.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2704 dupe.exe 2704 dupe.exe 2704 dupe.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3032 TelegramRAT.exe Token: SeDebugPrivilege 2780 tasklist.exe Token: SeDebugPrivilege 2704 dupe.exe Token: SeDebugPrivilege 2704 dupe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2704 dupe.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2688 3032 TelegramRAT.exe 31 PID 3032 wrote to memory of 2688 3032 TelegramRAT.exe 31 PID 3032 wrote to memory of 2688 3032 TelegramRAT.exe 31 PID 3032 wrote to memory of 3048 3032 TelegramRAT.exe 33 PID 3032 wrote to memory of 3048 3032 TelegramRAT.exe 33 PID 3032 wrote to memory of 3048 3032 TelegramRAT.exe 33 PID 3048 wrote to memory of 2780 3048 cmd.exe 35 PID 3048 wrote to memory of 2780 3048 cmd.exe 35 PID 3048 wrote to memory of 2780 3048 cmd.exe 35 PID 3048 wrote to memory of 2356 3048 cmd.exe 36 PID 3048 wrote to memory of 2356 3048 cmd.exe 36 PID 3048 wrote to memory of 2356 3048 cmd.exe 36 PID 3048 wrote to memory of 2712 3048 cmd.exe 38 PID 3048 wrote to memory of 2712 3048 cmd.exe 38 PID 3048 wrote to memory of 2712 3048 cmd.exe 38 PID 3048 wrote to memory of 2704 3048 cmd.exe 39 PID 3048 wrote to memory of 2704 3048 cmd.exe 39 PID 3048 wrote to memory of 2704 3048 cmd.exe 39 PID 2704 wrote to memory of 2220 2704 dupe.exe 41 PID 2704 wrote to memory of 2220 2704 dupe.exe 41 PID 2704 wrote to memory of 2220 2704 dupe.exe 41 PID 2704 wrote to memory of 564 2704 dupe.exe 43 PID 2704 wrote to memory of 564 2704 dupe.exe 43 PID 2704 wrote to memory of 564 2704 dupe.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1FC0.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1FC0.tmp.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3032"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2356
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2712
-
-
C:\Users\Public\Downloads\dupe.exe"dupe.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:2220
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2704 -s 14284⤵PID:564
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197B
MD54d2611e432324250e91f3faf8ce93821
SHA12796e3ce571f438a047557bb9f2f5abf58bbded9
SHA256ab15e789d729673c7ac19534033ad196acf2ae6da021f3f720658a02b505b47c
SHA5126d477cee25bb106734a8df575fdc8f1c44b0bd96200918c575dbc6fc9db6436b2830d1c365a44d48fedbd8d9bb602bb1081b2bc590654874532aa1bcdccad646
-
Filesize
111KB
MD53c6f5e7ca1f0279c860554b7b4dfaf5d
SHA115c4baaa666353eb7dd5d28a76aead8bf14bc352
SHA256f7514a2e0e612b0b4211c4655fedc3a7052578f38f1bfe131e2213102c164e34
SHA5121c8ac972d4ef27ec0f80e850137a8f19c95c72b97f2dede9c4d0caf007709133a5f2e248f6f04bc6e30fbbea742b8f4ae66a4f3408ab0d00ca48c48865947b09