Overview

overview

10

Static

static

1

YoudaodbDictSetup.msi

windows7-x64

10

YoudaodbDictSetup.msi

windows10-2004-x64

10

telcgaem.exe

windows7-x64

10

telcgaem.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    telcgaem.exe

  • Size

    78.3MB

  • MD5

    15c47c49822e2e151570f92f2c888810

  • SHA1

    00bd79f05c1d2d6e1cd183b9091cfc49186d19db

  • SHA256

    8b14e06f3d18713e80f1af4fba599c61c1afc60ae1188155fd1232dd2e912274

  • SHA512

    ee20bd72a84482921e0ffa7321cafa5c80817ca26f5e74682b4d2bb9bc3043e36e05993db88c0b5634ac3db9933987f2b49127dd1e705a20d6786aa521936f5f

  • SSDEEP

    1572864:NjsyFFS7s0bdNcqNdZStgE47uuJm3nB5ddE0OFS7s0bdNcqNdZvFS7s0bdNcqNdJ:HncsadOqNdstZ47uFbdRIcsadOqNd3cV

Score
10/10
discoveryevasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 17 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\telcgaem.exe
    "C:\Users\Admin\AppData\Local\Temp\telcgaem.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "xiChremfauxirumkcplt" /xml "C:\programdata\Mylnk\1.xml" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1616
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\rumkcp\1.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        PID:4772
    • C:\Users\Public\Videos\bin.exe
      C:\Users\Public\Videos\bin.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Users\Admin\AppData\Local\Temp\is-K2D6T.tmp\bin.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-K2D6T.tmp\bin.tmp" /SL5="$150066,44109053,814592,C:\Users\Public\Videos\bin.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
          "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops desktop.ini file(s)
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:1880
  • C:\rumkcp\Agghosts.exe
    "C:\rumkcp\Agghosts.exe" 67
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:3340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Mylnk\2.lnk
    Filesize

    1KB

    MD5

    9318548681b9f42e5a0be29e08d13ed4

    SHA1

    1870b52502593799966ce2e09dd2564ca24b9046

    SHA256

    6ba1de45a6013ae936eea63b6e2daede3287c389d36d2c7c5f6d0daceb38d436

    SHA512

    8f7771c2a369fa2f529f1c1ee0a6f1df61e9a2b36b5ce13f1f0d487855747676ca013eaf117d97a1af8bac4a0277deba7eb31ec0576d12feb8d7792fc630b429

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-K2D6T.tmp\bin.tmp
    Filesize

    3.0MB

    MD5

    fb01c7b8a3205457b6e92d2508a212f2

    SHA1

    3eb7e3cc688cd6bd87338297a1d8dae61ceddb69

    SHA256

    8a91f3b900acfd24ebc403cfdb97cc36e5565e5d25544e521cd9705f5a900c8a

    SHA512

    93deb0cf06e2d47eb20b5da6506078955199487319a7f173f0e5a510c7429e2bab2ab7df7bb591df5be58c393286c123218836eaa818b1e671f3ce349b25e6ce

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll
    Filesize

    4.7MB

    MD5

    62a89e7867d853fee9ad07b7c9d64379

    SHA1

    944a53602492187308352103d80ff27af1093abf

    SHA256

    d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

    SHA512

    7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

    Download Submit

  • C:\Users\Public\Videos\bin.exe
    Filesize

    42.9MB

    MD5

    60e84a87393a855aea63cce2619ad0ff

    SHA1

    dbbe89f1d8cb3e74b26b203a77643ddb4890296e

    SHA256

    01e9a214a6c806120d4a6081687a1ec00e901a115eb3bbf8ee3101e4ce921bb4

    SHA512

    3d99471020599a4e04da5dd818cb439af6c223ffa85d4932995a5d0088c7952d206d61f7f73e5be05593d82c5a286d5bd4d30ee130665ebb5ecd7f14694874da

    Download Submit

  • C:\programdata\Mylnk\1.xml
    Filesize

    3KB

    MD5

    9eaf39ff9b0149d4cb9eee9621d2172a

    SHA1

    03f98d166f7464b8fbe50699fd1e5e91a2228d0c

    SHA256

    de321631188389a11ed4b30266e8285287e57224171593db61fc8993bba1bcb1

    SHA512

    f78be57c6674d786cd543859df01475750a22c00d5876e8eb12ae122c9fad0ebc55a53807c07a7aee739708c212aea87f608f98e98941de9cb654a56f9e60eba

    Download Submit

  • C:\rumkcp\1.bat
    Filesize

    234B

    MD5

    56738d2f09890bc799257f6da9b9e09e

    SHA1

    df75f0b67a684abb76671d3ed2da0578decfcaec

    SHA256

    7a4ba5ea69112ce4df940b79557706d982e776e0a5ccd305d0d7bf85047c2a1b

    SHA512

    2c787b47944f901b177fef9cbe167a50f3d95d2cd3a9f7ec4753e1af559e28427352078cdc49b6701dec28135e9b7e5aa26f2ecb79547b714d815b9d6a18fe92

    Download Submit

  • C:\rumkcp\Agghosts.exe
    Filesize

    81KB

    MD5

    4748feb185e815e5564cd9c9573bfc94

    SHA1

    5e18754384528407d92fdf09656dca2860368423

    SHA256

    cef00109676a75f21e2b682853f2fe0d18418edf08f73162b6cc43d7bbe70797

    SHA512

    9a60a622a752742fceab645fc70d5e58818a7dd30bdb11424e58f68beccc54c7cdcdc7aec77b4811dda7c98a944e424e92f9a931ec36a3c8cf4898a19f4be732

    Download Submit

  • C:\rumkcp\Ensup.log
    Filesize

    109KB

    MD5

    5c40dca67790f64aee9ddca96fa8b91f

    SHA1

    a35fe072cac6fcc76adcbc2b5ac4b5e0f59388fa

    SHA256

    7156d368e395a6a0620bd86f86bc6b93d829b5a90d7af62631d8b2c54a79da39

    SHA512

    48a6a8db854c3ee88870791cf18005882ee2ab7d28ab565afc5e43cdf30cdb791e1ddb885cc398d99961651811fd27593940c39aa24cc66a46053bedba952069

    Download Submit

  • C:\rumkcp\MSVCP140.dll
    Filesize

    429KB

    MD5

    cfbdf284c12056347e6773cb3949fbba

    SHA1

    ad3fa5fbbc4296d4a901ea94460762faf3d6a2b8

    SHA256

    bbecdfda2551b01aa16005c88305982c360a9fb9ba3d9be2fb15f2e9c6eb809f

    SHA512

    2f24eac94d51f8f28c8e6b6234ca2e481e0f8f1a73df62766ff4f5640480377fb2c4a469babedb87d303503994b469e570aaf725e16da6f9b2d6a77f15b4623f

    Download Submit

  • C:\rumkcp\VCRUNTIME140.dll
    Filesize

    77KB

    MD5

    f107a3c7371c4543bd3908ba729dd2db

    SHA1

    af8e7e8f446de74db2f31d532e46eab8bbf41e0a

    SHA256

    00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

    SHA512

    fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

    Download Submit

  • C:\rumkcp\active_desktop_render.dll
    Filesize

    16KB

    MD5

    f23db0b87538bde7fc0c9d7d8cc010fc

    SHA1

    565b446b9dad1c57b4d962132d6253d4367a4e9e

    SHA256

    8228573e8757a6a79c0bad985129706062048b4c97ae5ce8813c60570a406247

    SHA512

    ffa3d8d305226fdf7daf6432c904f6f516d1d230b044bc7693c747b891aa17f1e76baae3400a061c36108f905aadaea2567934cc2182d5c8ae4700fc712ea435

    Download Submit

  • memory/1092-1-0x0000000010000000-0x00000000101A4000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3340-29-0x0000000010000000-0x0000000010022000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3340-66-0x0000000002BA0000-0x0000000002BD8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/3340-67-0x0000000002BA0000-0x0000000002BD8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/3340-68-0x0000000002BA0000-0x0000000002BD8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/3340-202-0x0000000002BA0000-0x0000000002BD8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/3340-65-0x0000000002BA0000-0x0000000002BD8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/3340-187-0x0000000002BA0000-0x0000000002BD8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/3340-188-0x0000000000B60000-0x0000000000B87000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4484-106-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/4484-72-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/4484-56-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/4964-75-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4964-105-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4964-80-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4964-73-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download