b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TeamViewer.exe

Executes dropped EXE 1 IoCs

pid	Process
1512	TeamViewer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TeamViewer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TeamViewer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	TeamViewer.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GatewayLayer 1.3957.lnk	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Wine	TeamViewer.exe

Loads dropped DLL 13 IoCs

pid	Process
1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe
1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe
1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe
1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe
1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe
1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe
1512	TeamViewer.exe
1512	TeamViewer.exe
1512	TeamViewer.exe
1512	TeamViewer.exe
1512	TeamViewer.exe
1512	TeamViewer.exe
1512	TeamViewer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1512	TeamViewer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	TeamViewer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TeamViewer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1512	TeamViewer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1512	1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe	27
PID 1688 wrote to memory of 1512	1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe	27
PID 1688 wrote to memory of 1512	1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe	27
PID 1688 wrote to memory of 1512	1688	b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe	27

C:\Users\Admin\AppData\Local\Temp\b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe
"C:\Users\Admin\AppData\Local\Temp\b2ab87d5408a19b0d65d49b74c0f3d879ac55c3e57117e4117ff500394e2ad17.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\PmIgYzA\TeamViewer.exe
  "C:\Users\Admin\AppData\Local\Temp\PmIgYzA\TeamViewer.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion