Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
02-08-2024 14:54
General
-
Target
win_X64-telegram-TG-zwb5.09.exe
-
Size
106.0MB
-
MD5
7e5e997bacfd13d0e4334d3633a5a0c7
-
SHA1
5c00469208e2bf98d467ea18c50cbf1b59a8da8b
-
SHA256
1a6b8de03d8197a402c830f55e61b8a0a8912d56c458a6a6096029ccc0b2fb29
-
SHA512
0670220677d34d656b1055dff92ca44234e1e75e434dab9b4c55ced36dcda4da76e9023cecda2bbc2aa32dca2b7f4c50e1df8910cc9e56f2e2d9ffd164d14658
-
SSDEEP
1572864:jIVwGw8QkX/YZhf6a/XXe8MUQE3nsMHHiUyRLelUyRLelUyRLelUyRLelUyRLelo:jIVwGwOXgrf68X4UhsXj
Malware Config
Signatures
-
UAC bypass 3 TTPs 3 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 17 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\win_X64-telegram-TG-zwb5.09.exe"C:\Users\Admin\AppData\Local\Temp\win_X64-telegram-TG-zwb5.09.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5626914 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\win_X64-telegram-TG-zwb5.09.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-940600906-3464502421-4240639183-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\TG-CNS\telegram\tdata\emoji\Mari.exe"C:\Users\Admin\AppData\Roaming\TG-CNS\telegram\tdata\emoji\Mari.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\hP2M9.xml4⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\M6X6o.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F5⤵
- UAC bypass
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F5⤵
- UAC bypass
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F5⤵
- UAC bypass
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\V20vK\25oi2~i\p+C:\Users\Public\Pictures\V20vK\25oi2~i\w C:\Users\Public\Pictures\V20vK\25oi2~i\xlstat4.dll4⤵
-
-
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Pictures\V20vK\25oi2~i\XmpLiveUD.exe"C:\Users\Public\Pictures\V20vK\25oi2~i\XmpLiveUD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD581a7a4f9e9cf23b18a5830cd8820fa73
SHA1509f342811540edff486945380755557349d60db
SHA2567e32d7c8c0d36644016fc48294a721ef5bb56277aa45c79016fbe28d9256f075
SHA51240ab0c46ba91062cc723f38d90fc44dcd6f173524ef4c60eb71cd6496556cd8913b3737a338fe7de3ce29b7e9fd7558723eb3bd209123f502b2e48f8b36cb630
-
Filesize
87KB
MD5a7db741aeb82ca0510d681271a09c90a
SHA1583a8f2c8af8e2d802da8921d8a3009000f9531e
SHA256e82ba7cb345dc28ffa8b1f662e58bb3266690f39948617e0d42109a752adff2a
SHA512ee9f1275fd5247d658f228eb7c0d318e9210ac261a877ef47304d71ca401f342426b2f260ee4cc8212f849a93cd87e8e25e9d7b2278b9fb9a0e3a2836d7b0d06
-
Filesize
4.9MB
MD5b0a1f1e0a106e1a62753c8a07fb3809b
SHA1b4bab82aa173a401a2f16f8b4ad91105a895b2d9
SHA256f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950
SHA512ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083
-
Filesize
392B
MD530d6eb22d6aeec10347239b17b023bf4
SHA1e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1
SHA256659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08
SHA512500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76
-
Filesize
86KB
MD581f3c5901a89416940bf84f61c011e96
SHA12d2561a4843d0a9eaa100e05ff41ed4616a8692f
SHA2568a29ff35ce664ee5e87218191efc0e2b39a4d7e0e278c192a9690e69776799c8
SHA5124b31078c87985770852cd2941e8d965376418f4da25b9d6b02291da089ff71cdee0920fef25c70a2470583766ddd7164bf2b578bc1c6e76954b478cddebf6f7b
-
Filesize
9KB
MD59c8cd23a158b385cc4b4609004936fd7
SHA1b82e423af18f256971538c2f02e0f9b9f9067686
SHA256a4788678f795672138d625e5676605925ac098033f0c5f495c549524e4814105
SHA512909f0a990f64f71144fafa918ebe0a8f3ecf46176bcf2d564069bb99811f6dfd520d0a20a7faa0e6fac19c88494a31c1e09852e59d1272af2cefe04f8060fb22
-
Filesize
15KB
MD5edc29bff723fbccfe969b4b58f333eb1
SHA1a0bec28b1a66cf188efb428593b8a779c872c3f7
SHA2569cdfee326128783944a95754e496481e06528c49c065e254b6a3bd4115a1a7e4
SHA51214c9bb8589c2693d85f4ffedc5ab2d8dde822e1afa2b5124c11deceb46faac67d4b2f28bacc2b36165fa3a64da1a11e1047267dc1e826e95df3057985e9e8b97
-
Filesize
172KB
MD5f3f4dde837f9b92abb5dd9fd5d3174e3
SHA166d3b76b564b577c2392c45ca7f84cc62c037318
SHA256be44239c288ee40899b9ba92edeb64141ee9522c377094298c853d07fb6295cd
SHA51245a741eb7d4ee7430907b9b8a03e91c5d0d64f3b32c54f6c808bad7c92826eeb4180a28339f2df8a1cd1eaf4ac613a30972ccf39593536147b940ee1e1cc5834
-
Filesize
648KB
MD58bae1c34285e15fae092ef5afb4bdb9a
SHA1ce7098ffafa1a0150de43e390f4489bd0a35bfd1
SHA25648d4c29de7c7e13c65856da6963a20f41f9001dab80bb72b68d61cab7fee1d33
SHA512927581328052659a0e65df5499b5e16624145ff61512255c64770194384d7ea5b469c3b1301e63146de7b5fc01bf6acf6e81e567806cdfed3a4b306b98e18ca4
-
Filesize
9.0MB
MD5be5628882d28ba1bdb9850dc4b7e7fa1
SHA16d37839c4b8ded05c0e8108696e1b794de59a2a8
SHA256def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287
SHA51216037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39
-
Filesize
1.4MB
MD5ff5c63efbba91a0eec9fc645da655b4c
SHA1d225ceff3601b57add69df7d854b2348a8980255
SHA256e1fbb97ff3607d569d584f78ce77a9dd2cf64dca05aebdbf3e55c9711e07b3be
SHA51296b963823d7a28e4d4ecd703aa26ad3d3e1d4086e09a4cc08ca88c30c9b8ceb42b7daf184e33b9175f87a566e78028cca3e6ab90ed6537598677f27b15eefce5
-
Filesize
179KB
MD5525e7322fba8241956dad96e7002f33c
SHA1e1afb270a65ab2383c89ee86bfa0715bfb6f0dc9
SHA256e466c05616476d214ca7caef8020a046277e37e340a3470ffcf228ac967ac7c9
SHA512cd609d4ab4319259dff3d92de045f0a9464bd4ecd72bc8e098e279ecdb954b41841f8650f3ab085dca980ac563ab2e4918d2f881d90448f3b7dce74a51ffdcad
-
Filesize
4.8MB
MD55fccddc84705ef583e1e105a706a4cea
SHA1fd62980ab42f9062cb2cae7fb432169a660a9391
SHA256b09997d6da86ae913039327a1ca291a405d741722be660046db75e9b76b3176c
SHA512b9a690bf3c01e4e111c1139fac883265d8b97c96d9d6ae2bb4e9c303a622ab2c67b6acd058534f7afb14d9d2f0aa48eefea83d73ebaa7b972ff3c75c0723c4ac
-
Filesize
883KB
MD58c91824393f6c13ad31925d70a3746fc
SHA1a596499fdf8fc7e047227a9fcfb0ff0728cf940c
SHA25647d889023b791f815b87c139c039eb7270c81dd881b34e894cfc7e49d2823192
SHA51266987ae6131b9dee7f129954415f3cfa3fc56f659853d33b2413c8e886e77d62b438fe12a89948825623f80494da86836e0844f11581c6ef10bfaae1401610d3
-
Filesize
883KB
MD587d78b3b8c40976b34047cbcdc0e1454
SHA13f53f3a1e52c80cdd6f5eac7216b3c1816948516
SHA2564240fd9b105b4456fa428baa2e9b48a9ab2bc2736c7c33efaf92092ca45be88a
SHA5124d8be70e5b958029143669b8e72fce4c1da32ef66fea9548501de62462f1d37cec2fdcb1466bf5666f2268843b7e07bf5fda6ec4441cf61cef09324594410043
-
Filesize
350KB
MD5c916c7815286c5233a49deac81f8543e
SHA1cb964c3c8eae8e7ce170f3ad3a55993f7a1918db
SHA2563d07466b8f5c18afc70c6a9746d43fa7daa39c9bd41e8bfb928c70e7d7458bf4
SHA5120d65283c41c30ee688bf02ec3eec7f6b17a750efc18fa6a66f26c7c6ef8bae860d270b31017f096d8d254c2769be2b7ed64d6b3dc659d1b57d466388271e2c78
-
Filesize
14.5MB
MD5f6c56945b2a627dfebec3b2f80544855
SHA121eb4d3ea7fa50fc291c6a542437bfb6d834476d
SHA256b4e3976adfb46ac2c1e3f8731b7e49976baf7538ac5d50a85633f3cdfbcb38b0
SHA5120937b528fa8d46d52a683a5ab2ab490b81ef7c03553e62eabd0a02bf7612049f38ba0ac8b27f0b00909a266a366f7d235e2a3289860e38c8d10f2b67d0b789b9
-
Filesize
935KB
MD595510f67cf120d180362fd2d3ec23d9c
SHA14787cfb2398fd3285be85e52be633f454bb48ff6
SHA2569f64fdbf96b10a185c51bf9e7d6199e44a5ef3255de40a0a447cf556ac7675f0
SHA5124caf48792686a89e8397813a6b0246b274986e7fdf245d0b1aa3e36b7e9de0be7b618cd483871f76769a569a7b896f5b9f461f62f4d26cedbf257cc74c69f562
-
Filesize
706KB
MD54b5dfd7e9ac50a741b5ac6102b30cbf5
SHA1c3ae8f11f12b2160055a28ee8cd0f14d215864dc
SHA2568fbb6e1c42d6ea9fb1f5651d0cad370cbd36fda89035568c460193b1ae316cdc
SHA5129099874416956b53bb7a8d63a215f0e40ae806d21bdad6fcdba002f35c5b3d8827c7d5e5c9500a356a7bdf7a3d402c3d8851dd0df69a72fed752277f32b210cc
-
Filesize
379KB
MD50cdb376595b90c8e40169a7332c609cc
SHA10e47e06237f27388437d8631d055e78a34b37e03
SHA25631d2076066107bd04ab24ff7bbdf8271aa16dd1d04e70bd9cc492e9aa1e6c82b
SHA5123062a64d412d69996d36caf7acf1dd040941ab9adf26841fcb103d4711ffcb8e3a8deaa9374042c882e1e4c3ad51e4d294498c398d2b6adf0f1c6669d6f1d94b
-
Filesize
371KB
MD57456818a22dad2c0965580d8bbf4cabd
SHA1548714607df2ec3b7c8a22cfba3a1776e6e80861
SHA256f3a288c5455b074fe9c9d5a160adeb49e84bbe1832b5fcbe8f26093215192f65
SHA51213f6589bd9c0c60a3df63325c57e94129761adc558d1a65eb4c6e138e6155dd9dbe501d45edde282219dc357593458f5f84a29188d123dcb7770e7479f6a7e68
-
Filesize
1.7MB
MD5f5e75394913d746ac50a5d8af30a67b8
SHA1488f9c69740b826b3aaf5c2626eef8d5e107ab01
SHA256c5f367bfe533e0f5a221c01da922ef182a49a326c92aa1d409dc7e2d7dcbedc1
SHA5122734e2f63a115d9699108ae07dd4bcbdc21f503333f3954679b60184736a29220b58dc0b0e220fd7659d9c3b818481108a0d22ed24f7810e7c2daf36fa92d5ef
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
420KB
