gh0strat | 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf

Resubmissions

09-11-2024 15:52

241109-ta7ekawngt 10

09-11-2024 15:17

241109-spgxsaxbmq 10

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi
Size

44.6MB
MD5

7ba3fd79c3ccfdb9f1a311a3f05a7d94
SHA1

c4115a8d08ce102bcb14ed00dad86e52e163c81c
SHA256

92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf
SHA512

f491a16cc375d6756e2debed08e76f01c090ae52b16e7b3eeed2930e0eb8e47e56aada96b54a6dfaa212354d66ca92955a4fc39434a378429f54416f5043048c
SSDEEP

786432:YIRRSEiH0Anyv1JSEyexVA6mcdbTUReEhVzC136g9lceVzgOXTBAaWTAsLBrYuJC:Y+RSnyXSNWvUReEOQg9meVkOXpWXfmMZ

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 6 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/3492-114-0x000000002BEC0000-0x000000002C07C000-memory.dmp	purplefox_rootkit
behavioral2/memory/3492-117-0x000000002BEC0000-0x000000002C07C000-memory.dmp	purplefox_rootkit
behavioral2/memory/3492-116-0x000000002BEC0000-0x000000002C07C000-memory.dmp	purplefox_rootkit
behavioral2/memory/3492-118-0x000000002BEC0000-0x000000002C07C000-memory.dmp	purplefox_rootkit
behavioral2/memory/3492-121-0x000000002BEC0000-0x000000002C07C000-memory.dmp	purplefox_rootkit
behavioral2/memory/3492-125-0x000000002BEC0000-0x000000002C07C000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/3492-114-0x000000002BEC0000-0x000000002C07C000-memory.dmp	family_gh0strat
behavioral2/memory/3492-117-0x000000002BEC0000-0x000000002C07C000-memory.dmp	family_gh0strat
behavioral2/memory/3492-116-0x000000002BEC0000-0x000000002C07C000-memory.dmp	family_gh0strat
behavioral2/memory/3492-118-0x000000002BEC0000-0x000000002C07C000-memory.dmp	family_gh0strat
behavioral2/memory/3492-121-0x000000002BEC0000-0x000000002C07C000-memory.dmp	family_gh0strat
behavioral2/memory/3492-125-0x000000002BEC0000-0x000000002C07C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2172	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	bFchqPntlegL.exe
File opened (read-only)	\??\J:	bFchqPntlegL.exe
File opened (read-only)	\??\W:	bFchqPntlegL.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	bFchqPntlegL.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	bFchqPntlegL.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	bFchqPntlegL.exe
File opened (read-only)	\??\O:	bFchqPntlegL.exe
File opened (read-only)	\??\Y:	bFchqPntlegL.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	bFchqPntlegL.exe
File opened (read-only)	\??\Q:	bFchqPntlegL.exe
File opened (read-only)	\??\V:	bFchqPntlegL.exe
File opened (read-only)	\??\Z:	bFchqPntlegL.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	bFchqPntlegL.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	bFchqPntlegL.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	bFchqPntlegL.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	bFchqPntlegL.exe
File opened (read-only)	\??\X:	bFchqPntlegL.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	bFchqPntlegL.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	bFchqPntlegL.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UhHKDmESOIjj.exe.log	UhHKDmESOIjj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Saved Games	tsetup.tmp

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs	bFchqPntlegL.exe
File created	C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg	msiexec.exe
File created	C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe	msiexec.exe
File created	C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor	bFchqPntlegL.exe
File opened for modification	C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe	MsiExec.exe
File opened for modification	C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe	MsiExec.exe
File opened for modification	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log	UhHKDmESOIjj.exe
File created	C:\Program Files\SustainSleekTutor\valibclang2d.dll	msiexec.exe
File opened for modification	C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log	UhHKDmESOIjj.exe
File created	C:\Program Files\SustainSleekTutor\tsetup.exe	msiexec.exe
File created	C:\Program Files\SustainSleekTutor\bFchqPntlegL	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\bFchqPntlegL	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File created	C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
File opened for modification	C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log	UhHKDmESOIjj.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E94DD97D-74C5-4066-895C-1E7D5A0698F5}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB99B.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b807.msi	msiexec.exe
File created	C:\Windows\Installer\e57b805.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b805.msi	msiexec.exe

Executes dropped EXE 11 IoCs

pid	Process
3160	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
972	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
2556	bFchqPntlegL.exe
1440	tsetup.exe
2052	tsetup.tmp
4060	UhHKDmESOIjj.exe
2216	UhHKDmESOIjj.exe
3896	UhHKDmESOIjj.exe
3868	bFchqPntlegL.exe
3492	bFchqPntlegL.exe
512	Telegram.exe

Loads dropped DLL 1 IoCs

pid	Process
512	Telegram.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1052	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bFchqPntlegL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bFchqPntlegL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bFchqPntlegL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1560	cmd.exe
876	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bFchqPntlegL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	bFchqPntlegL.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 6830eccbd53acba79b3678289e7adb3351caaff0c00b773c3d3ce8e0a6ee35f0	tsetup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoModify = "1"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\ApplicationName = "Telegram Desktop"	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\UrlAssociations\tg = "tdesktop.tg"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\TelegramDesktop	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\tg\URL Protocol	Telegram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayVersion = "5.2.3"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\InstallLocation = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\"	tsetup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoRepair = "1"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\HelpLink = "https://desktop.telegram.org"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\tg	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MinorVersion = "2"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Telegram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Setup Version = "6.2.2"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 61d04e6bf84ec24f19c1f205f15fd6c7cc1e20c01e3bba5e1632aff982bcdb60	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Icon Group = "Telegram Desktop"	tsetup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: No Icons = "1"	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayName = "Telegram Desktop"	tsetup.tmp

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\PackageName = "92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\ProductName = "SustainSleekTutor"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\PackageCode = "422D740D8F2748241AF491420E7509A6"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Version = "100794368"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582\D79DD49E5C47660498C5E1D7A560895F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media\1 = ";"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
876	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
512	Telegram.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	msiexec.exe
1104	msiexec.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe
2556	bFchqPntlegL.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1052	msiexec.exe
Token: SeSecurityPrivilege	1104	msiexec.exe
Token: SeCreateTokenPrivilege	1052	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1052	msiexec.exe
Token: SeLockMemoryPrivilege	1052	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1052	msiexec.exe
Token: SeMachineAccountPrivilege	1052	msiexec.exe
Token: SeTcbPrivilege	1052	msiexec.exe
Token: SeSecurityPrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeLoadDriverPrivilege	1052	msiexec.exe
Token: SeSystemProfilePrivilege	1052	msiexec.exe
Token: SeSystemtimePrivilege	1052	msiexec.exe
Token: SeProfSingleProcessPrivilege	1052	msiexec.exe
Token: SeIncBasePriorityPrivilege	1052	msiexec.exe
Token: SeCreatePagefilePrivilege	1052	msiexec.exe
Token: SeCreatePermanentPrivilege	1052	msiexec.exe
Token: SeBackupPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeShutdownPrivilege	1052	msiexec.exe
Token: SeDebugPrivilege	1052	msiexec.exe
Token: SeAuditPrivilege	1052	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1052	msiexec.exe
Token: SeChangeNotifyPrivilege	1052	msiexec.exe
Token: SeRemoteShutdownPrivilege	1052	msiexec.exe
Token: SeUndockPrivilege	1052	msiexec.exe
Token: SeSyncAgentPrivilege	1052	msiexec.exe
Token: SeEnableDelegationPrivilege	1052	msiexec.exe
Token: SeManageVolumePrivilege	1052	msiexec.exe
Token: SeImpersonatePrivilege	1052	msiexec.exe
Token: SeCreateGlobalPrivilege	1052	msiexec.exe
Token: SeBackupPrivilege	636	vssvc.exe
Token: SeRestorePrivilege	636	vssvc.exe
Token: SeAuditPrivilege	636	vssvc.exe
Token: SeBackupPrivilege	1104	msiexec.exe
Token: SeRestorePrivilege	1104	msiexec.exe
Token: SeRestorePrivilege	1104	msiexec.exe
Token: SeTakeOwnershipPrivilege	1104	msiexec.exe
Token: SeRestorePrivilege	1104	msiexec.exe
Token: SeTakeOwnershipPrivilege	1104	msiexec.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeBackupPrivilege	3972	srtasks.exe
Token: SeRestorePrivilege	3972	srtasks.exe
Token: SeSecurityPrivilege	3972	srtasks.exe
Token: SeTakeOwnershipPrivilege	3972	srtasks.exe
Token: SeBackupPrivilege	3972	srtasks.exe
Token: SeRestorePrivilege	3972	srtasks.exe
Token: SeSecurityPrivilege	3972	srtasks.exe
Token: SeTakeOwnershipPrivilege	3972	srtasks.exe
Token: SeRestorePrivilege	3160	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: 35	3160	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeSecurityPrivilege	3160	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeSecurityPrivilege	3160	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeRestorePrivilege	972	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: 35	972	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeSecurityPrivilege	972	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeSecurityPrivilege	972	xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
Token: SeRestorePrivilege	1104	msiexec.exe
Token: SeTakeOwnershipPrivilege	1104	msiexec.exe
Token: SeRestorePrivilege	1104	msiexec.exe
Token: SeTakeOwnershipPrivilege	1104	msiexec.exe
Token: SeRestorePrivilege	1104	msiexec.exe
Token: SeTakeOwnershipPrivilege	1104	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1052	msiexec.exe
1052	msiexec.exe
2052	tsetup.tmp
512	Telegram.exe
512	Telegram.exe
512	Telegram.exe
512	Telegram.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
512	Telegram.exe
512	Telegram.exe
512	Telegram.exe
512	Telegram.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
512	Telegram.exe
512	Telegram.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 3972	1104	msiexec.exe	103
PID 1104 wrote to memory of 3972	1104	msiexec.exe	103
PID 1104 wrote to memory of 4328	1104	msiexec.exe	105
PID 1104 wrote to memory of 4328	1104	msiexec.exe	105
PID 4328 wrote to memory of 2172	4328	MsiExec.exe	106
PID 4328 wrote to memory of 2172	4328	MsiExec.exe	106
PID 4328 wrote to memory of 1560	4328	MsiExec.exe	110
PID 4328 wrote to memory of 1560	4328	MsiExec.exe	110
PID 1560 wrote to memory of 3160	1560	cmd.exe	112
PID 1560 wrote to memory of 3160	1560	cmd.exe	112
PID 1560 wrote to memory of 3160	1560	cmd.exe	112
PID 1560 wrote to memory of 876	1560	cmd.exe	113
PID 1560 wrote to memory of 876	1560	cmd.exe	113
PID 1560 wrote to memory of 972	1560	cmd.exe	115
PID 1560 wrote to memory of 972	1560	cmd.exe	115
PID 1560 wrote to memory of 972	1560	cmd.exe	115
PID 4328 wrote to memory of 2556	4328	MsiExec.exe	117
PID 4328 wrote to memory of 2556	4328	MsiExec.exe	117
PID 4328 wrote to memory of 2556	4328	MsiExec.exe	117
PID 4328 wrote to memory of 1440	4328	MsiExec.exe	119
PID 4328 wrote to memory of 1440	4328	MsiExec.exe	119
PID 4328 wrote to memory of 1440	4328	MsiExec.exe	119
PID 1440 wrote to memory of 2052	1440	tsetup.exe	121
PID 1440 wrote to memory of 2052	1440	tsetup.exe	121
PID 1440 wrote to memory of 2052	1440	tsetup.exe	121
PID 3896 wrote to memory of 3868	3896	UhHKDmESOIjj.exe	130
PID 3896 wrote to memory of 3868	3896	UhHKDmESOIjj.exe	130
PID 3896 wrote to memory of 3868	3896	UhHKDmESOIjj.exe	130
PID 3868 wrote to memory of 3492	3868	bFchqPntlegL.exe	133
PID 3868 wrote to memory of 3492	3868	bFchqPntlegL.exe	133
PID 3868 wrote to memory of 3492	3868	bFchqPntlegL.exe	133
PID 2052 wrote to memory of 512	2052	tsetup.tmp	138
PID 2052 wrote to memory of 512	2052	tsetup.tmp	138

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1052

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 2BD1613784EED8CBD3268DBA80EEF8FC E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SustainSleekTutor','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
      "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3160
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:876
  - - C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
      "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:972
- - C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
    "C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 127 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2556
- - C:\Program Files\SustainSleekTutor\tsetup.exe
    "C:\Program Files\SustainSleekTutor\tsetup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp" /SL5="$90066,44246395,814592,C:\Program Files\SustainSleekTutor\tsetup.exe"
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:3412

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe
"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:4060

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe
"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2216

C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe
"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
  "C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 291 -file file3 -mode mode3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
    "C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 62 -file file3 -mode mode3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b806.rbs

Filesize
7KB

MD5
6f1d258ed53343d54331cf70ff3ed7a9

SHA1
9475f6a4c5106b539108727be0732961ed112583

SHA256
5fc9dddaa2f55e79886a7a3e856aecba74e31f5a36e354adef118f4ad325ed0d

SHA512
6c227d6af836c57ee5e3bd64524f5faf1e56983062f705123201ba83bc261aca3883f41fb650813454aca243d641a25799a0e867c9ee5649bf59bda7a31a5ad0

Download Submit
C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe

Filesize
2.1MB

MD5
90134a5b913cd5d9d993f6f58601740e

SHA1
c6fc923eae06097227dab095633a0c47beba327a

SHA256
8462d6b3f1a8037f6f60412d3f4e0ecad89aaed3c10915ffa1e602c5ae8b0942

SHA512
7385ebcce7e33efb3a9b26d9690d8a2a221bc05071bc499f313de2de8d31935dd0cdd366ac7baccd4004d9e1eb27a0471328785ad1acf325054fd036d4b9dd61

Download Submit
C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf

Filesize
1.5MB

MD5
17f3ece27717fa4a5ad13f06e6c2846e

SHA1
47b8230c0f0dd0b8a451bd378203a0ec0aaa13f6

SHA256
f0217b72add9c431299fda7983e8a7c592f6b4cd5a1df5118208c19dc7251c86

SHA512
998dcba619566edba18b2dcaefd8e86d1d6c09340c8004cf487d6944bb2a90b75231f2d3140162bcf0a161321d5febccf7d947d4752451424082f3cd06de9b7b

Download Submit
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

Filesize
787B

MD5
a8a628af93c38728740972e112c50971

SHA1
519706dcfe4462e3a70ff8fb9ad983cfded94e78

SHA256
441c3e40d60b2e7785c935b75657b55cc289cfab8c6cf1cc032202108e0ba30c

SHA512
0e3ba923a4e8d4d34fbae9c80a4311f1ca4fb9432865e33ffc349f5b91f4051c588514233ac69e02ce0aefdd763baf6d0827f5eb25376383056299192b6a43cf

Download Submit
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

Filesize
272B

MD5
4e14ff5f867de1777b6aae7a48fe1c3f

SHA1
17d8f1b5b4bc4c9517e9c1e412c7f4e488e7be1e

SHA256
ac2082ba3c3e67110f6bc8744b93b1990c0b5514122b2c64fe99e3fa18432f74

SHA512
7f013d0ec64f226896177a455d7951358f2bb99c51ebd5be7e9e7dffaa048294b384cde65b609eaa09adb3c4372aead5edb623c89a37de5275d213ac852c4038

Download Submit
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

Filesize
431B

MD5
7f378affecbfdafd347579ead10eb494

SHA1
9c8c93a6198d044716bc7fed12ca0728bd4e7f4e

SHA256
7788cb38dd7f69889108d8043a0a642b87a20bd6a6cc215e8ef753e39906a7ab

SHA512
2ce6a99b54dcb6179e23e44a1fbd765326ad5891e859d1493647a2dc9bb5103ca5a595458e5ad31f6f25a1426c096df48e0b430e4daf8dd854928ff066310258

Download Submit
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log

Filesize
600B

MD5
c01617b7e98a81d6b5d97283db538ee8

SHA1
f4b9e42359f7c6a19bd8cd73fad8ad20151c5d90

SHA256
935799d2ea92630d9dd31ff897df8ed66f5703830ddd4fe6797f739dbc0e2249

SHA512
af39c698b9197d9081f163f523b6079b48a4f852d5a7fb45a445d6d7b6c3a6cc031fbbadd0ea1cd865bd0a39bc78f0e0692c09b1a952ff2fb350293b3ba494fe

Download Submit
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml

Filesize
426B

MD5
a64dd3b12bb2c5bc00fb61a6c9ddcc8d

SHA1
27b65d6e3c47cefd0d21e9412185601d03a2756f

SHA256
73c03e24b2378cd1a660ac8127f44edae43ee31a73092afb88bd617b9638db9f

SHA512
8824bb6e846c9ee4e5ef3bf0373dcd0b513aa5f91d3858a5e34868b1f72f7052dc55776d0cd40154fe4f1dc160ea7d7324872e6e7e8a265db294e53f36878e39

Download Submit
C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs

Filesize
2KB

MD5
615235ef40ac677be4c414e7dfb9ff53

SHA1
ef7cea67851aed94a5e14e9b907f366d1185e172

SHA256
1a7dd87bb537e41f7742da7cbb9839523d905747aad4522f4a39932ba626a132

SHA512
c694a4cf03ce5587e164b4f31b141951b949281f8ba08a69178f56c290afbbbe139651a849f3436976ee7c29b6aa0408b60c7e529a44c8c4bc52aff0498ae89b

Download Submit
C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg

Filesize
1.5MB

MD5
86e0062ac9e3c38a69470a57bb619533

SHA1
7d04a283f51e145724e20a5925ee811a4645e5d9

SHA256
42a64f04499a0836946073eb7bfc1cb67a98faa58d65eeb09fb6ac8fccc7f547

SHA512
aefc23fcf566748b60de0e95268f834cef3e4cfb1754b18e9ea2e1a867a764d027d43c68aad2b7c3f4520b3232fd50430c2b7fb4494dee223ac340a8c1e67794

Download Submit
C:\Program Files\SustainSleekTutor\tsetup.exe

Filesize
43.1MB

MD5
8a53cf72375f6899082463c36422d411

SHA1
161d9d3b21bf0d9a9790b92013ec76c6d839af06

SHA256
1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65

SHA512
daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

Download Submit
C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_afikessb.5p4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q4NJ6.tmp\tsetup.tmp

Filesize
3.0MB

MD5
d90927477dbf0725af0a10e151c184c4

SHA1
4cd69b23ee9c1efe9bd539f0fef841a09a4a773e

SHA256
43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029

SHA512
bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
C:\Windows\Installer\e57b805.msi

Filesize
44.6MB

MD5
7ba3fd79c3ccfdb9f1a311a3f05a7d94

SHA1
c4115a8d08ce102bcb14ed00dad86e52e163c81c

SHA256
92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf

SHA512
f491a16cc375d6756e2debed08e76f01c090ae52b16e7b3eeed2930e0eb8e47e56aada96b54a6dfaa212354d66ca92955a4fc39434a378429f54416f5043048c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UhHKDmESOIjj.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
0fbe39f8a2b6bd7ed669d351140493df

SHA1
b861a2f9153be144bd3ec8d97fa298727cc6b817

SHA256
0f04578df48d9bfaccd14d60dcb6e9d749f67e0d61ce669f8ca1cba185e53533

SHA512
166b2c04e1e11aad5ee9ba5207183c3f4a73991ea53545bbeb569ea28fe8bd8784df93b83f279d8f33391dfcd69c5a69dd6fb3454626d513a0a70f7356c3da3b

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b3375395-ff67-42fa-8ddf-eeb043c5d8de}_OnDiskSnapshotProp

Filesize
6KB

MD5
a78282738825f10d999ee4fc570ef470

SHA1
f5fe745cd21569af7c4c0e4152b1fe43f5d1cbc6

SHA256
182eaf80a73bd48865f404ec41b3a0ce76eed0c5b80adcfdcdaccbe5d37e31de

SHA512
1cdc7afd52e5c952f14c32df9ef9c87d1392dfcfcc8d117208e99f37262030fd0b63a8f703690158b77dc8606c1a51d35d5333659224e215ceb270a1d786af6b

Download Submit
memory/1440-59-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1440-159-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1440-112-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2052-124-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2052-158-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2052-113-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2052-133-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2172-18-0x000002A7D4620000-0x000002A7D4642000-memory.dmp

Filesize
136KB

Download
memory/2556-56-0x0000000029A90000-0x0000000029ABF000-memory.dmp

Filesize
188KB

Download
memory/3492-118-0x000000002BEC0000-0x000000002C07C000-memory.dmp

Filesize
1.7MB

Download
memory/3492-121-0x000000002BEC0000-0x000000002C07C000-memory.dmp

Filesize
1.7MB

Download
memory/3492-116-0x000000002BEC0000-0x000000002C07C000-memory.dmp

Filesize
1.7MB

Download
memory/3492-125-0x000000002BEC0000-0x000000002C07C000-memory.dmp

Filesize
1.7MB

Download
memory/3492-117-0x000000002BEC0000-0x000000002C07C000-memory.dmp

Filesize
1.7MB

Download
memory/3492-114-0x000000002BEC0000-0x000000002C07C000-memory.dmp

Filesize
1.7MB

Download
memory/3492-111-0x000000002A290000-0x000000002A2DD000-memory.dmp

Filesize
308KB

Download
memory/4060-80-0x0000000000760000-0x0000000000836000-memory.dmp

Filesize
856KB

Download