Resubmissions

08-06-2022 15:25

220608-stk51addcl 9

30-09-2021 16:56

210930-vfx9hsabf8 10

30-09-2021 16:48

210930-va6cyaacek 9

30-09-2021 16:42

210930-t7xavsacdn 9

30-09-2021 16:10

210930-tmhxqsaba6 9

30-09-2021 12:18

210930-pgqceahfd7 10

29-09-2021 20:47

210929-zla4dsfhfq 10

General

  • Target

    TeamViewer_Setup_x64.exe

  • Size

    33.0MB

  • Sample

    210929-zla4dsfhfq

  • MD5

    4a8e5e6ca45331d7e08c2c44364231fe

  • SHA1

    c3c908aaa09783b9b638dfbb1770efd9e77ae5bb

  • SHA256

    187ed0e2c02f10ee82731490d0cd9928590d428c80d7c7382ba471df2cb8b9b8

  • SHA512

    e33a8406ed003bef4a341b757390f57e753ebd2d73d36b6970de2dafecc9d0092760156bf6bd42b21cd9a78a7abd7cb1b2a5c593d5172b337999800246a2ca1f

Malware Config

Targets

    • Target

      TeamViewer_Setup_x64.exe

    • Size

      33.0MB

    • MD5

      4a8e5e6ca45331d7e08c2c44364231fe

    • SHA1

      c3c908aaa09783b9b638dfbb1770efd9e77ae5bb

    • SHA256

      187ed0e2c02f10ee82731490d0cd9928590d428c80d7c7382ba471df2cb8b9b8

    • SHA512

      e33a8406ed003bef4a341b757390f57e753ebd2d73d36b6970de2dafecc9d0092760156bf6bd42b21cd9a78a7abd7cb1b2a5c593d5172b337999800246a2ca1f

    • Registers COM server for autorun

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Browser Extensions

1
T1176

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

5
T1082

Collection

Data from Local System

1
T1005

Tasks