Overview

overview

10

Static

static

1

YoudaodbDictSetup.msi

windows7-x64

10

YoudaodbDictSetup.msi

windows10-2004-x64

10

telcgaem.exe

windows7-x64

10

telcgaem.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    telcgaem.exe

  • Size

    78.3MB

  • MD5

    15c47c49822e2e151570f92f2c888810

  • SHA1

    00bd79f05c1d2d6e1cd183b9091cfc49186d19db

  • SHA256

    8b14e06f3d18713e80f1af4fba599c61c1afc60ae1188155fd1232dd2e912274

  • SHA512

    ee20bd72a84482921e0ffa7321cafa5c80817ca26f5e74682b4d2bb9bc3043e36e05993db88c0b5634ac3db9933987f2b49127dd1e705a20d6786aa521936f5f

  • SSDEEP

    1572864:NjsyFFS7s0bdNcqNdZStgE47uuJm3nB5ddE0OFS7s0bdNcqNdZvFS7s0bdNcqNdJ:HncsadOqNdstZ47uFbdRIcsadOqNd3cV

Score
10/10
discoveryevasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 16 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\telcgaem.exe
    "C:\Users\Admin\AppData\Local\Temp\telcgaem.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "pxChreefaupxokshorlt" /xml "C:\programdata\Mylnk\1.xml" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1224
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\okshor\1.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        PID:2684
    • C:\Users\Public\Videos\bin.exe
      C:\Users\Public\Videos\bin.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\is-7EOLT.tmp\bin.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-7EOLT.tmp\bin.tmp" /SL5="$401CE,44109053,814592,C:\Users\Public\Videos\bin.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:840
        • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
          "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops desktop.ini file(s)
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2140
  • C:\okshor\Agghosts.exe
    "C:\okshor\Agghosts.exe" 67
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Mylnk\2.lnk
    Filesize

    1KB

    MD5

    169cb741dc0fb36dc6155f9326b44a0e

    SHA1

    d5b42cd907e511f99e10218d7cf325eb890322b0

    SHA256

    f7ef2dbc57831c73e9f84e8c14420cbd3678bd64b8899284611456340caceda6

    SHA512

    f39eb6bc4624a3b383ad3891fc534cf10e389642da2d672aff87198b189ea37a59b5378bbce2f3f808cabb0ec6548b1f04085038c4fa4170fd07089e798021f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9149.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
    Filesize

    4.7MB

    MD5

    62a89e7867d853fee9ad07b7c9d64379

    SHA1

    944a53602492187308352103d80ff27af1093abf

    SHA256

    d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

    SHA512

    7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

    Download Submit

  • C:\okshor\1.bat
    Filesize

    234B

    MD5

    56738d2f09890bc799257f6da9b9e09e

    SHA1

    df75f0b67a684abb76671d3ed2da0578decfcaec

    SHA256

    7a4ba5ea69112ce4df940b79557706d982e776e0a5ccd305d0d7bf85047c2a1b

    SHA512

    2c787b47944f901b177fef9cbe167a50f3d95d2cd3a9f7ec4753e1af559e28427352078cdc49b6701dec28135e9b7e5aa26f2ecb79547b714d815b9d6a18fe92

    Download Submit

  • C:\okshor\Agghosts.exe
    Filesize

    81KB

    MD5

    4748feb185e815e5564cd9c9573bfc94

    SHA1

    5e18754384528407d92fdf09656dca2860368423

    SHA256

    cef00109676a75f21e2b682853f2fe0d18418edf08f73162b6cc43d7bbe70797

    SHA512

    9a60a622a752742fceab645fc70d5e58818a7dd30bdb11424e58f68beccc54c7cdcdc7aec77b4811dda7c98a944e424e92f9a931ec36a3c8cf4898a19f4be732

    Download Submit

  • C:\okshor\Ensup.log
    Filesize

    109KB

    MD5

    5c40dca67790f64aee9ddca96fa8b91f

    SHA1

    a35fe072cac6fcc76adcbc2b5ac4b5e0f59388fa

    SHA256

    7156d368e395a6a0620bd86f86bc6b93d829b5a90d7af62631d8b2c54a79da39

    SHA512

    48a6a8db854c3ee88870791cf18005882ee2ab7d28ab565afc5e43cdf30cdb791e1ddb885cc398d99961651811fd27593940c39aa24cc66a46053bedba952069

    Download Submit

  • C:\okshor\MSVCP140.dll
    Filesize

    429KB

    MD5

    cfbdf284c12056347e6773cb3949fbba

    SHA1

    ad3fa5fbbc4296d4a901ea94460762faf3d6a2b8

    SHA256

    bbecdfda2551b01aa16005c88305982c360a9fb9ba3d9be2fb15f2e9c6eb809f

    SHA512

    2f24eac94d51f8f28c8e6b6234ca2e481e0f8f1a73df62766ff4f5640480377fb2c4a469babedb87d303503994b469e570aaf725e16da6f9b2d6a77f15b4623f

    Download Submit

  • C:\okshor\VCRUNTIME140.dll
    Filesize

    77KB

    MD5

    f107a3c7371c4543bd3908ba729dd2db

    SHA1

    af8e7e8f446de74db2f31d532e46eab8bbf41e0a

    SHA256

    00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

    SHA512

    fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

    Download Submit

  • C:\okshor\active_desktop_render.dll
    Filesize

    16KB

    MD5

    f23db0b87538bde7fc0c9d7d8cc010fc

    SHA1

    565b446b9dad1c57b4d962132d6253d4367a4e9e

    SHA256

    8228573e8757a6a79c0bad985129706062048b4c97ae5ce8813c60570a406247

    SHA512

    ffa3d8d305226fdf7daf6432c904f6f516d1d230b044bc7693c747b891aa17f1e76baae3400a061c36108f905aadaea2567934cc2182d5c8ae4700fc712ea435

    Download Submit

  • C:\programdata\Mylnk\1.xml
    Filesize

    3KB

    MD5

    368da51ea9910cacaac9822927dc84e5

    SHA1

    b028a74de0e32e0397a2fb35502afec7f8e469c1

    SHA256

    774301e5ca54aa6eee42af64edd71a7246cbe67342e48fb965187591f56219cb

    SHA512

    80a8843888b65939f1e4238b58f8bee35ccc0302afc6dd0606c7e1f299933f767c9d4336b2b05f3556df0702cc51c65395fe41b9f0d7683eef6b15704249db99

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-7EOLT.tmp\bin.tmp
    Filesize

    3.0MB

    MD5

    fb01c7b8a3205457b6e92d2508a212f2

    SHA1

    3eb7e3cc688cd6bd87338297a1d8dae61ceddb69

    SHA256

    8a91f3b900acfd24ebc403cfdb97cc36e5565e5d25544e521cd9705f5a900c8a

    SHA512

    93deb0cf06e2d47eb20b5da6506078955199487319a7f173f0e5a510c7429e2bab2ab7df7bb591df5be58c393286c123218836eaa818b1e671f3ce349b25e6ce

    Download Submit

  • \Users\Public\Videos\bin.exe
    Filesize

    42.9MB

    MD5

    60e84a87393a855aea63cce2619ad0ff

    SHA1

    dbbe89f1d8cb3e74b26b203a77643ddb4890296e

    SHA256

    01e9a214a6c806120d4a6081687a1ec00e901a115eb3bbf8ee3101e4ce921bb4

    SHA512

    3d99471020599a4e04da5dd818cb439af6c223ffa85d4932995a5d0088c7952d206d61f7f73e5be05593d82c5a286d5bd4d30ee130665ebb5ecd7f14694874da

    Download Submit

  • memory/840-118-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/840-80-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/840-107-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/840-82-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2140-132-0x00000000023C0000-0x00000000023CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2140-131-0x00000000023C0000-0x00000000023CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2140-181-0x00000000023C0000-0x00000000023CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2140-171-0x00000000023C0000-0x00000000023CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2140-170-0x0000000000220000-0x000000000022A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2140-169-0x0000000000220000-0x000000000022A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2140-134-0x00000000023C0000-0x00000000023CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2140-116-0x0000000000220000-0x000000000022A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2140-115-0x0000000000220000-0x000000000022A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2140-135-0x00000000023C0000-0x00000000023CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2548-1-0x0000000010000000-0x00000000101A4000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2548-20-0x0000000000180000-0x0000000000182000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2668-121-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2668-59-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2668-79-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2720-75-0x0000000001E20000-0x0000000001E58000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2720-29-0x0000000010000000-0x0000000010022000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2720-72-0x0000000001E20000-0x0000000001E58000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2720-73-0x0000000001E20000-0x0000000001E58000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2720-74-0x0000000001E20000-0x0000000001E58000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2720-201-0x0000000002400000-0x0000000002427000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2720-200-0x0000000001E20000-0x0000000001E58000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2720-225-0x0000000001E20000-0x0000000001E58000-memory.dmp

    Filesize

    224KB

    Download