49534e847f24fdd727ada248666c5ebbbf7cefff54443df1dd56240cccb50a97

General

Target

TALKIT.exe
Size

534KB
MD5

bbc3687e84989e3f70f2179ba9a458b3
SHA1

7059147afcd22233c1180fa386414b8e9f8bc10c
SHA256

49534e847f24fdd727ada248666c5ebbbf7cefff54443df1dd56240cccb50a97
SHA512

e66f6881fb5e3f4a7911fd8edfae82f88d4c4089eab2efb180fbc5c0860edd298c85d838426e0ba4cec0d392ae76c470fcb442b9699c841d5919e008e5a5fac5
SSDEEP

12288:Hjv3p0iAiC7vbJPnZRJ49YwnX4P5g2OVs/wZfdjWPb/h9BiyLtNd:HdsNd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3192	TalkAny.exe
3584	TalkAny.exe

Loads dropped DLL 10 IoCs

pid	Process
3100	Talk It_v1.0.exe
3100	Talk It_v1.0.exe
3192	TalkAny.exe
3192	TalkAny.exe
3192	TalkAny.exe
3524	Talk It_v1.0.exe
3524	Talk It_v1.0.exe
3584	TalkAny.exe
3584	TalkAny.exe
3584	TalkAny.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Talk It_v1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TalkAny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Talk It_v1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TalkAny.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3280	AUDIODG.EXE
Token: 33	3280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3280	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3192	TalkAny.exe
3192	TalkAny.exe
3584	TalkAny.exe
3584	TalkAny.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3192	3100	Talk It_v1.0.exe	44
PID 3100 wrote to memory of 3192	3100	Talk It_v1.0.exe	44
PID 3100 wrote to memory of 3192	3100	Talk It_v1.0.exe	44
PID 3100 wrote to memory of 3192	3100	Talk It_v1.0.exe	44
PID 3100 wrote to memory of 3192	3100	Talk It_v1.0.exe	44
PID 3100 wrote to memory of 3192	3100	Talk It_v1.0.exe	44
PID 3100 wrote to memory of 3192	3100	Talk It_v1.0.exe	44
PID 3524 wrote to memory of 3584	3524	Talk It_v1.0.exe	47
PID 3524 wrote to memory of 3584	3524	Talk It_v1.0.exe	47
PID 3524 wrote to memory of 3584	3524	Talk It_v1.0.exe	47
PID 3524 wrote to memory of 3584	3524	Talk It_v1.0.exe	47
PID 3524 wrote to memory of 3584	3524	Talk It_v1.0.exe	47
PID 3524 wrote to memory of 3584	3524	Talk It_v1.0.exe	47
PID 3524 wrote to memory of 3584	3524	Talk It_v1.0.exe	47

C:\Users\Admin\AppData\Local\Temp\TALKIT.exe
"C:\Users\Admin\AppData\Local\Temp\TALKIT.exe"
1⤵
PID:2540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.2.2120991434\1369429558" -childID 1 -isForBrowser -prefsHandle 1812 -prefMapHandle 1920 -prefsLen 21031 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfd77eec-55b6-4f26-83c7-5389b76cbc95} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 964 18b35258 tab
1⤵
PID:2592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.3.727128013\733203023" -childID 2 -isForBrowser -prefsHandle 2640 -prefMapHandle 2636 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a9697fc-5d94-49ff-a3e8-5e830ce5d267} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 2652 e62b58 tab
1⤵
PID:2504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.4.585874057\1074729358" -childID 3 -isForBrowser -prefsHandle 3028 -prefMapHandle 3024 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {679fc549-b09c-4acf-87f9-e48d5ff225be} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 3052 1a891e58 tab
1⤵
PID:308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.5.2061797604\505481791" -childID 4 -isForBrowser -prefsHandle 3812 -prefMapHandle 3676 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {609c06bc-68dc-4c75-8716-6805cad64d2c} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 3828 1d4bfc58 tab
1⤵
PID:2164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.6.1159206108\909482889" -childID 5 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {950db441-dbd7-4861-83fd-5002e1c18426} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 3924 1d4bd558 tab
1⤵
PID:1532

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.7.42483614\1413533678" -childID 6 -isForBrowser -prefsHandle 4132 -prefMapHandle 4140 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1ddcccb-1a03-435e-b927-18b38ff8d238} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 3812 1d4bd858 tab
1⤵
PID:2892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.8.1878277604\442892770" -childID 7 -isForBrowser -prefsHandle 3080 -prefMapHandle 3064 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16c68403-4133-4bbd-ad5a-ce60cd9d09c5} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 3188 e62e58 tab
1⤵
PID:1636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.9.1201402260\1633818815" -childID 8 -isForBrowser -prefsHandle 3780 -prefMapHandle 1744 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16aba926-61c3-4594-8613-c1b274f0e381} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 1780 1a653658 tab
1⤵
PID:624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1040.10.1381043565\1970037142" -childID 9 -isForBrowser -prefsHandle 4756 -prefMapHandle 4752 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2675782-4ba3-4606-8a56-f87c4c45b047} 1040 "\\.\pipe\gecko-crash-server-pipe.1040" 4768 2135f558 tab
1⤵
PID:820

C:\Users\Admin\Downloads\Talk It_v1.0.exe
"C:\Users\Admin\Downloads\Talk It_v1.0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Temp\Ogif\TalkAny\TalkAny.exe
  "C:\Temp\Ogif\TalkAny\TalkAny.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3192

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Users\Admin\Downloads\Talk It_v1.0.exe
"C:\Users\Admin\Downloads\Talk It_v1.0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Temp\Ogif\TalkAny\TalkAny.exe
  "C:\Temp\Ogif\TalkAny\TalkAny.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\Ogif\TalkAny\TIBASE32.dll

Filesize
78KB

MD5
2cb4f99812841f5271ea9fce41dddb46

SHA1
f4cb27de41b7c4138c1438eb79a4f3468b56f57e

SHA256
9297f69236b296238096baa1e9d00567fc74409b5a7ebe2565da71b27fcdc5cb

SHA512
e256da1350e600707a961ec155d6c34bad21a08fc5b7d8b14defe70b018a1473e5dc1cebe05139b902289bc995953db86139a64e6e0ff06bd62d85cf7654346c

Download Submit
C:\Temp\Ogif\TalkAny\TIENG32.DLL

Filesize
317KB

MD5
63ebdcc2ea86671601af678535aaaf9d

SHA1
680d14d8ad355f542677c1f0ae02d2f6c7b08ba9

SHA256
4e261dcdf4eca118cf75c39b2f52d5b00888de820df9e4e868183a039f25e98b

SHA512
d105a4cb3e40bd1cbf18bf60335df54bc7b1f78a6af236bd1acbacbe2e1268b98b3331edae923a40b7db3de2393cc20e5209258b126116234dadcce1a4c203e4

Download Submit
C:\Temp\Ogif\TalkAny\TISPAN32.DLL

Filesize
65KB

MD5
1e522006e572619dabe8713ebc83c27f

SHA1
b7a574f6763c405cac18d5930d4538ccf70d3824

SHA256
ccc3c0b35b42ef40e116a8ba5e6f40c1f303e00f6d6c31c9a9eac5994b1d5294

SHA512
7451e0de0c38709e965f473e5b721ef40760955cec58659abc5d60d2b6e8bb28b0fa15bcacdc194fa412563c97b6150c5708fdf2ec198054a48a212386b47ab7

Download Submit
\Temp\Ogif\TalkAny\TalkAny.exe

Filesize
534KB

MD5
bbc3687e84989e3f70f2179ba9a458b3

SHA1
7059147afcd22233c1180fa386414b8e9f8bc10c

SHA256
49534e847f24fdd727ada248666c5ebbbf7cefff54443df1dd56240cccb50a97

SHA512
e66f6881fb5e3f4a7911fd8edfae82f88d4c4089eab2efb180fbc5c0860edd298c85d838426e0ba4cec0d392ae76c470fcb442b9699c841d5919e008e5a5fac5

Download Submit

Resubmissions

Analysis

Sharing