Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05/01/2025, 12:30
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
18 signatures
150 seconds
General
-
Target
TelegramRAT.exe
-
Size
119KB
-
MD5
47436ad8508cbdbede6535db163766bc
-
SHA1
c6c6f8eb7dac9f294da1547e30c320a7d316bf52
-
SHA256
43eca90ecc5958fd358a9240f31b1811ad2d01c6db10397cfd88e445ff8be5e0
-
SHA512
255a5618cf57a4930e08e02628bef7533289e2968fcf0d1db617447f7c04245978fc9d83c29247ffd9478a5428a3491a28458bcb2eb05efb0a4566ad43bf5a9c
-
SSDEEP
3072:gAWfRzlXCwwFwOwWAmm+G/bxqH8QW8zCrAZu/tM1:gAD1SWHe/bg/p
Malware Config
Extracted
Family
toxiceye
C2
https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/sendMessage?chat_id=8130842755
Signatures
-
Toxiceye family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 1 IoCs
pid Process 4996 rat.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2320 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2648 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 396 schtasks.exe 3788 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4996 rat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4996 rat.exe 4996 rat.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe 4996 rat.exe 4368 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4368 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 916 TelegramRAT.exe Token: SeDebugPrivilege 2320 tasklist.exe Token: SeDebugPrivilege 4996 rat.exe Token: SeDebugPrivilege 4368 taskmgr.exe Token: SeSystemProfilePrivilege 4368 taskmgr.exe Token: SeCreateGlobalPrivilege 4368 taskmgr.exe Token: SeDebugPrivilege 4996 rat.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe 4368 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4996 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 916 wrote to memory of 396 916 TelegramRAT.exe 83 PID 916 wrote to memory of 396 916 TelegramRAT.exe 83 PID 916 wrote to memory of 2012 916 TelegramRAT.exe 85 PID 916 wrote to memory of 2012 916 TelegramRAT.exe 85 PID 2012 wrote to memory of 2320 2012 cmd.exe 87 PID 2012 wrote to memory of 2320 2012 cmd.exe 87 PID 2012 wrote to memory of 3324 2012 cmd.exe 88 PID 2012 wrote to memory of 3324 2012 cmd.exe 88 PID 2012 wrote to memory of 2648 2012 cmd.exe 89 PID 2012 wrote to memory of 2648 2012 cmd.exe 89 PID 2012 wrote to memory of 4996 2012 cmd.exe 90 PID 2012 wrote to memory of 4996 2012 cmd.exe 90 PID 4996 wrote to memory of 3788 4996 rat.exe 95 PID 4996 wrote to memory of 3788 4996 rat.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:396
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC2A4.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC2A4.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 916"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:3324
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2648
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:3788
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD54cc20c94a3b63502ba2a0f0f7cf7ed2e
SHA1ca1a20b3d435a6b6d6e26e96395c2dd788196930
SHA2561c80c95213bac0374458d85067072bf784feb545d0328ce8c5fc27f25a8db404
SHA5120a59b253ab7b3eb2ea44414a08ea9c9a08bf72c9d217d7ea08ed9a09b1afa4d57ef3b29b2ca242de323d61ea876ce0bbeb2bd9cd0375985480f41da790b23261
-
Filesize
119KB
MD547436ad8508cbdbede6535db163766bc
SHA1c6c6f8eb7dac9f294da1547e30c320a7d316bf52
SHA25643eca90ecc5958fd358a9240f31b1811ad2d01c6db10397cfd88e445ff8be5e0
SHA512255a5618cf57a4930e08e02628bef7533289e2968fcf0d1db617447f7c04245978fc9d83c29247ffd9478a5428a3491a28458bcb2eb05efb0a4566ad43bf5a9c