Analysis
-
max time kernel
95s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 13:19
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240704-en
General
-
Target
TelegramRAT.exe
-
Size
111KB
-
MD5
3c6f5e7ca1f0279c860554b7b4dfaf5d
-
SHA1
15c4baaa666353eb7dd5d28a76aead8bf14bc352
-
SHA256
f7514a2e0e612b0b4211c4655fedc3a7052578f38f1bfe131e2213102c164e34
-
SHA512
1c8ac972d4ef27ec0f80e850137a8f19c95c72b97f2dede9c4d0caf007709133a5f2e248f6f04bc6e30fbbea742b8f4ae66a4f3408ab0d00ca48c48865947b09
-
SSDEEP
1536:l+b6QDWv5IDlOM91qQIwy3xZxdyyKDWfybhDqI6oQWVzCrAZuW5TDx:Ib2IpOLhZxjQbxqHoQWVzCrAZuWRx
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7074076538:AAGqOb5C3l0YTijTUMFzandCeulk-NFhSz0/sendMessage?chat_id=5623362319
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation dupe.exe -
Executes dropped EXE 1 IoCs
pid Process 3456 dupe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1964 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3332 tasklist.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2776 schtasks.exe 4344 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3456 dupe.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe 3456 dupe.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1644 TelegramRAT.exe Token: SeDebugPrivilege 3332 tasklist.exe Token: SeDebugPrivilege 3456 dupe.exe Token: SeDebugPrivilege 3456 dupe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3456 dupe.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1644 wrote to memory of 4344 1644 TelegramRAT.exe 88 PID 1644 wrote to memory of 4344 1644 TelegramRAT.exe 88 PID 1644 wrote to memory of 1732 1644 TelegramRAT.exe 90 PID 1644 wrote to memory of 1732 1644 TelegramRAT.exe 90 PID 1732 wrote to memory of 3332 1732 cmd.exe 92 PID 1732 wrote to memory of 3332 1732 cmd.exe 92 PID 1732 wrote to memory of 4440 1732 cmd.exe 93 PID 1732 wrote to memory of 4440 1732 cmd.exe 93 PID 1732 wrote to memory of 1964 1732 cmd.exe 95 PID 1732 wrote to memory of 1964 1732 cmd.exe 95 PID 1732 wrote to memory of 3456 1732 cmd.exe 96 PID 1732 wrote to memory of 3456 1732 cmd.exe 96 PID 3456 wrote to memory of 2776 3456 dupe.exe 101 PID 3456 wrote to memory of 2776 3456 dupe.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4344
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1644"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:4440
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1964
-
-
C:\Users\Public\Downloads\dupe.exe"dupe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:2776
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197B
MD5c2da525f000512df8189879d8a22aaf5
SHA12eb898dce2eadae799eff2a1ff18c6c4884d87d5
SHA256bf0d737a228fb7a80cb635f733bb12bcdd63100f3fca04c4d923843a1147c6e0
SHA5121a232b28d1ebadcbfc08cba26239969535f33ffc1191c75098f7a963b0ae74b5d07efd959ed6bfa28d226092a8beffc41c058d2e51287a80d80a7d5c748bc89f
-
Filesize
111KB
MD53c6f5e7ca1f0279c860554b7b4dfaf5d
SHA115c4baaa666353eb7dd5d28a76aead8bf14bc352
SHA256f7514a2e0e612b0b4211c4655fedc3a7052578f38f1bfe131e2213102c164e34
SHA5121c8ac972d4ef27ec0f80e850137a8f19c95c72b97f2dede9c4d0caf007709133a5f2e248f6f04bc6e30fbbea742b8f4ae66a4f3408ab0d00ca48c48865947b09