Overview

overview

8

Static

static

Teams_wind...0_.exe

windows7_x64

8

Teams_wind...0_.exe

windows10_x64

8

Analysis

  • max time kernel
    112s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    07/07/2020, 09:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Teams_windows_x64_s_8D81D942A50991F-7-0_.exe

  • Size

    93.7MB

  • MD5

    dd8216c8debaf1a9bfe3a96d450158d4

  • SHA1

    0315df25ffe96681cf594a6a358d28e9610640b5

  • SHA256

    ac8f18a6311375f33748c435ddd77051d7a5f207fd0832415fe2684375e317a5

  • SHA512

    857803a93627bed65ea8335ea426288c4408930423531957d5b3d68815339f1673da1d39d5f8278f701763aaab6355aebf3441604ad761614be7c6bb36077b6b

Score
8/10
persistence

Malware Config

Signatures

  • Modifies registry class 4314 IoCs
  • Registers COM server for autorun 1 TTPs 12 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 44 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates system info in registry 2 TTPs 11 IoCs
  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Teams_windows_x64_s_8D81D942A50991F-7-0_.exe
    "C:\Users\Admin\AppData\Local\Temp\Teams_windows_x64_s_8D81D942A50991F-7-0_.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=Teams_windows_x64_s_8D81D942A50991F-7-0_.exe
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of AdjustPrivilegeToken
      PID:964
      • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
        3⤵
        • Executes dropped EXE
        PID:3020
      • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.3.00.13565
        3⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        PID:2252
        • C:\Users\Admin\AppData\Local\Microsoft\Teams\Update.exe
          C:\Users\Admin\AppData\Local\Microsoft\Teams\Update.exe --createShortcut=Teams.exe -l=StartMenu,Desktop
          4⤵
          • Executes dropped EXE
          PID:3100
      • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrun
        3⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run entry to start application
        • Checks processor information in registry
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1228
        • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --enable-features=SharedArrayBuffer --disable-features=SpareRendererForSitePerProcess --no-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=9399103021371117882 --mojo-platform-channel-handle=1504 /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3588
        • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --enable-features=SharedArrayBuffer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=633072931484152081 --lang=en-US --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.13565 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36" --node-integration=false --webview-tag=false --no-sandbox --preload="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar\lib\renderer\preload_default.js" --disable-remote-module --background-color=#FFFFFFFF --electron-shared-settings=eyJjci5jb21wYW55IjoiRWxlY3Ryb24iLCJjci5kdW1wcyI6IiIsImNyLmVuYWJsZWQiOmZhbHNlLCJjci5wcm9kdWN0IjoiRWxlY3Ryb24iLCJjci5zZXNzaW9uIjoiIiwiY3IudXJsIjoiIiwiY3IudmVyc2lvbiI6InY0LjIuMTIifQ== --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=633072931484152081 --renderer-client-id=5 --mojo-platform-channel-handle=1956 /prefetch:1 --msteams-process-type=loadingWindow
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2628
        • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --enable-features=SharedArrayBuffer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=2850804229984444432 --lang=en-US --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.13565 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36" --node-integration=false --webview-tag=false --no-sandbox --preload="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar\lib\renderer\notifications\preload_notifications.js" --disable-remote-module --background-color=#fff --electron-shared-settings=eyJjci5jb21wYW55IjoiRWxlY3Ryb24iLCJjci5kdW1wcyI6IiIsImNyLmVuYWJsZWQiOmZhbHNlLCJjci5wcm9kdWN0IjoiRWxlY3Ryb24iLCJjci5zZXNzaW9uIjoiIiwiY3IudXJsIjoiIiwiY3IudmVyc2lvbiI6InY0LjIuMTIifQ== --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=2850804229984444432 --renderer-client-id=8 --mojo-platform-channel-handle=2492 /prefetch:1 --msteams-process-type=notificationsManager
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3776
        • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --enable-features=SharedArrayBuffer --disable-features=SpareRendererForSitePerProcess --no-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --service-request-channel-token=13902738071755860509 --mojo-platform-channel-handle=3228 /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3952
        • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --enable-features=SharedArrayBuffer --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --service-pipe-token=5894388966006831914 --lang=en-US --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.13565 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar\lib\renderer\preload.js" --disable-remote-module --background-color=#fff --electron-shared-settings=eyJjci5jb21wYW55IjoiRWxlY3Ryb24iLCJjci5kdW1wcyI6IiIsImNyLmVuYWJsZWQiOmZhbHNlLCJjci5wcm9kdWN0IjoiRWxlY3Ryb24iLCJjci5zZXNzaW9uIjoiIiwiY3IudXJsIjoiIiwiY3IudmVyc2lvbiI6InY0LjIuMTIifQ== --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=5894388966006831914 --renderer-client-id=10 --mojo-platform-channel-handle=1996 /prefetch:1 --msteams-process-type=mainWindow
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates system info in registry
          • Checks processor information in registry
          PID:1484
        • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --enable-features=SharedArrayBuffer --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --service-pipe-token=7411781660432013596 --lang=en-US --app-user-model-id=com.squirrel.Teams.Teams --app-path="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.13565 Chrome/69.0.3497.128 Electron/4.2.12 Safari/537.36" --node-integration=false --webview-tag=false --no-sandbox --preload="C:\Users\Admin\AppData\Local\Microsoft\Teams\current\resources\app.asar\node_modules\@juturu\electron-remote\lib\renderer-require-preload.js" --background-color=#fff --electron-shared-settings=eyJjci5jb21wYW55IjoiRWxlY3Ryb24iLCJjci5kdW1wcyI6IiIsImNyLmVuYWJsZWQiOmZhbHNlLCJjci5wcm9kdWN0IjoiRWxlY3Ryb24iLCJjci5zZXNzaW9uIjoiIiwiY3IudXJsIjoiIiwiY3IudmVyc2lvbiI6InY0LjIuMTIifQ== --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=7411781660432013596 --renderer-client-id=12 --mojo-platform-channel-handle=1948 /prefetch:1
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2024
        • C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --enable-features=SharedArrayBuffer --disable-features=SpareRendererForSitePerProcess --lang=en-US --no-sandbox --no-sandbox --service-request-channel-token=1644021458151591455 --mojo-platform-channel-handle=3652 /prefetch:8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:3572
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20091.2\x64\Microsoft.Teams.AddinLoader.dll"
        3⤵
        • Suspicious use of WriteProcessMemory
        • Loads dropped DLL
        PID:1636
        • C:\Windows\system32\regsvr32.exe
          /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20091.2\x64\Microsoft.Teams.AddinLoader.dll"
          4⤵
          • Modifies registry class
          • Registers COM server for autorun
          • Loads dropped DLL
          PID:1856
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.20091.2\x86\Microsoft.Teams.AddinLoader.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        PID:3776

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads