a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe
Size

1.3MB
MD5

f1e9a877303afbec6c317a32f981b339
SHA1

f62540b839006e032818d06d81e22657438b383d
SHA256

a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d
SHA512

b961e9b4a94ed66c7d9bb7df1a6eb55c065c0dfad66592b33b257ea93ccc3e4a025b76a5f809d0aba1078d5ba7b7bfd944e0ea32351d82708f76c0a46a4e3fb8
SSDEEP

24576:8JeyIwgF4TuBFGF9KGexdWbYBR0ia6NtF4elptFCFA1jlEwziNY7:6dIwgFbvGFaLWbPiheel9maewAe

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3556	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.hwd
4992	SERVICEMGR.EXE
5012	TeamViewer_.exe
4648	TeamViewer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.hwd
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	TeamViewer_.exe

Loads dropped DLL 8 IoCs

pid	Process
5012	TeamViewer_.exe
5012	TeamViewer_.exe
5012	TeamViewer_.exe
5012	TeamViewer_.exe
5012	TeamViewer_.exe
5012	TeamViewer_.exe
5012	TeamViewer_.exe
4648	TeamViewer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "C:\\Windows\\system32\\SERVICEMGR.EXE"	SERVICEMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Service Manager = "C:\\Windows\\system32\\SERVICEMGR.EXE"	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SERVICEMGR.EXE	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QS\SAS.exe	TeamViewer.exe
File opened for modification	C:\Program Files (x86)\QS\SAS.exe	TeamViewer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000022f65-135.dat	nsis_installer_1
behavioral2/files/0x0007000000022f65-135.dat	nsis_installer_2
behavioral2/files/0x0007000000022f65-136.dat	nsis_installer_1
behavioral2/files/0x0007000000022f65-136.dat	nsis_installer_2
behavioral2/files/0x0006000000022f68-143.dat	nsis_installer_1
behavioral2/files/0x0006000000022f68-143.dat	nsis_installer_2
behavioral2/files/0x0006000000022f68-144.dat	nsis_installer_1
behavioral2/files/0x0006000000022f68-144.dat	nsis_installer_2

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2892	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe
4992	SERVICEMGR.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3556	2892	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe	81
PID 2892 wrote to memory of 3556	2892	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe	81
PID 2892 wrote to memory of 3556	2892	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe	81
PID 2892 wrote to memory of 4992	2892	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe	82
PID 2892 wrote to memory of 4992	2892	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe	82
PID 2892 wrote to memory of 4992	2892	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe	82
PID 3556 wrote to memory of 5012	3556	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.hwd	83
PID 3556 wrote to memory of 5012	3556	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.hwd	83
PID 3556 wrote to memory of 5012	3556	a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.hwd	83
PID 5012 wrote to memory of 4648	5012	TeamViewer_.exe	84
PID 5012 wrote to memory of 4648	5012	TeamViewer_.exe	84
PID 5012 wrote to memory of 4648	5012	TeamViewer_.exe	84

C:\Users\Admin\AppData\Local\Temp\a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe
"C:\Users\Admin\AppData\Local\Temp\a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.hwd
  C:\Users\Admin\AppData\Local\Temp\a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.hwd
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\temp\TeamViewer3\TeamViewer_.exe
    "C:\Users\Admin\temp\TeamViewer3\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Users\Admin\temp\TeamViewer3\TeamViewer.exe
      "C:\Users\Admin\temp\TeamViewer3\TeamViewer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:4648
- C:\Windows\SysWOW64\SERVICEMGR.EXE
  C:\Windows\system32\SERVICEMGR.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.hwd

Filesize
1.2MB

MD5
0fbf9ce79e1cb0b6f70d7c5fa8019a3f

SHA1
5551f9432b76b106cbd5c8af6b84a1f233df5054

SHA256
9a4e9d094607863b3ea8a611aa8614d1ea6626363228a2dc35982ca2e537e5a0

SHA512
5761b7a6d5e45123312be9865ecb94c6c001acac09e0dea6b555460435ceaef734dd67fe17a8048c8fd13c0256d620d349619da726dec7cedcb3f315ebbef293

Download Submit
C:\Users\Admin\AppData\Local\Temp\a86ec9765cbafd0c799874ff87a57e27513b3163562f523377f47f3284a2ad7d.hwd

Filesize
1.2MB

MD5
0fbf9ce79e1cb0b6f70d7c5fa8019a3f

SHA1
5551f9432b76b106cbd5c8af6b84a1f233df5054

SHA256
9a4e9d094607863b3ea8a611aa8614d1ea6626363228a2dc35982ca2e537e5a0

SHA512
5761b7a6d5e45123312be9865ecb94c6c001acac09e0dea6b555460435ceaef734dd67fe17a8048c8fd13c0256d620d349619da726dec7cedcb3f315ebbef293

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc1955.tmp\Base64.dll

Filesize
3KB

MD5
5cd56a89f090c3dd0b4d98dfeb3b648d

SHA1
7c1a2a72cdd2f13bd095a4d2eda6b3a9806e7334

SHA256
71d1f1bdaaf23618aa36f6e648b35aada1dc6f1ad0eaf8570cdab5f26d8601a9

SHA512
e69a2eb5e8d21da58478fe99ee86341a735bdc3ee05caeb05ae388e9f82f4f577cb687381dc64060cffc6fe5b835a6c104b06b8d6dcc19337cdc48f1a69927ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc1955.tmp\Base64.dll

Filesize
3KB

MD5
5cd56a89f090c3dd0b4d98dfeb3b648d

SHA1
7c1a2a72cdd2f13bd095a4d2eda6b3a9806e7334

SHA256
71d1f1bdaaf23618aa36f6e648b35aada1dc6f1ad0eaf8570cdab5f26d8601a9

SHA512
e69a2eb5e8d21da58478fe99ee86341a735bdc3ee05caeb05ae388e9f82f4f577cb687381dc64060cffc6fe5b835a6c104b06b8d6dcc19337cdc48f1a69927ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc1955.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc1955.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc1955.tmp\TvGetVersion.dll

Filesize
50KB

MD5
71169d851cbc95619f00bddcfc812580

SHA1
0307b4081385e8d8512d0f592559b64ecab72f89

SHA256
26931f6c02b2a06be06d2327233240df201032b432a0d3402fbb000391b62721

SHA512
0f35a8ca4917101756c096fda4a2278b585af914f716578f4ed36e21b4805168dd8648a9eaf4c7dc808a0e43c73281284c7067db521491d3a34d6ea9780bea09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc1955.tmp\TvGetVersion.dll

Filesize
50KB

MD5
71169d851cbc95619f00bddcfc812580

SHA1
0307b4081385e8d8512d0f592559b64ecab72f89

SHA256
26931f6c02b2a06be06d2327233240df201032b432a0d3402fbb000391b62721

SHA512
0f35a8ca4917101756c096fda4a2278b585af914f716578f4ed36e21b4805168dd8648a9eaf4c7dc808a0e43c73281284c7067db521491d3a34d6ea9780bea09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc1955.tmp\UAC.dll

Filesize
17KB

MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
C:\Users\Admin\temp\TeamViewer3\SAS.exe

Filesize
53KB

MD5
bf3bcd752bdabfa1f1e84b7462738103

SHA1
34cb8ea7d47467cace271e03b7869f37b0ecb30a

SHA256
90fe790e189c384f2ab82958057f91fdf40888c2ed3c0471bd7b85d5b36c7810

SHA512
6d5362c4d354319845f4522e0d1132c32a6779efc4c013c8c7bd489fddf39cbb5dfb72b135487b660d156d7774e5be4acc03c3fcecdb6dabcfad12630a3f5955

Download Submit
C:\Users\Admin\temp\TeamViewer3\TV.dll

Filesize
8KB

MD5
3ece427082f114c269627a0738596608

SHA1
f6af6a66352fc4ea9e0b12ec9a38e790518e7d8f

SHA256
486b0c2d0edc32b0cf4c83b6909b8af9726ef036089faee51104c9aede17225a

SHA512
f024c86be9a5de97459411e7bd4cac18228d0dd77a96aa5f25168c3d4ff657067cf66d326923c16ad38913dff5b6fb16868f4207fa1101218ef4ce1b2a04b0c5

Download Submit
C:\Users\Admin\temp\TeamViewer3\TeamViewer.exe

Filesize
2.9MB

MD5
45959b3d2bde20435a9aeed861046506

SHA1
af9737ecd4988dd8d9af8231656779a471f072ea

SHA256
c75ab62eca1d523e9db23fb8d018fbc99f336a36f70f0cc39c941b992b69d443

SHA512
37b13465749b79b284d2d54b948c7602a7c2b19a08c03da40bd2fc665829246d95446c5f06380db3ba1995a18236cd1c1c0d046227cf41af8b2ff3793bfef40b

Download Submit
C:\Users\Admin\temp\TeamViewer3\TeamViewer.exe

Filesize
2.9MB

MD5
45959b3d2bde20435a9aeed861046506

SHA1
af9737ecd4988dd8d9af8231656779a471f072ea

SHA256
c75ab62eca1d523e9db23fb8d018fbc99f336a36f70f0cc39c941b992b69d443

SHA512
37b13465749b79b284d2d54b948c7602a7c2b19a08c03da40bd2fc665829246d95446c5f06380db3ba1995a18236cd1c1c0d046227cf41af8b2ff3793bfef40b

Download Submit
C:\Users\Admin\temp\TeamViewer3\TeamViewer_.exe

Filesize
1.2MB

MD5
90670935c60e18c1f92b28844f87ef6f

SHA1
bf92cb0b8599d5bb8f51519c90ca4202a362691d

SHA256
53f97106c73d141674f02d7583af055e421c83ec506bf08d1baf05a224ed893a

SHA512
e4ac59c96b84d2ebf6da5d13701b2a5bdd1840bf0529d49adeef3471f2cfb7e6f6b723df94c17e503ea4bdc5f45a39ce11cb748298401bc69b6fa9ce475e0644

Download Submit
C:\Users\Admin\temp\TeamViewer3\TeamViewer_.exe

Filesize
1.2MB

MD5
90670935c60e18c1f92b28844f87ef6f

SHA1
bf92cb0b8599d5bb8f51519c90ca4202a362691d

SHA256
53f97106c73d141674f02d7583af055e421c83ec506bf08d1baf05a224ed893a

SHA512
e4ac59c96b84d2ebf6da5d13701b2a5bdd1840bf0529d49adeef3471f2cfb7e6f6b723df94c17e503ea4bdc5f45a39ce11cb748298401bc69b6fa9ce475e0644

Download Submit
C:\Users\Admin\temp\TeamViewer3\tv.dll

Filesize
8KB

MD5
3ece427082f114c269627a0738596608

SHA1
f6af6a66352fc4ea9e0b12ec9a38e790518e7d8f

SHA256
486b0c2d0edc32b0cf4c83b6909b8af9726ef036089faee51104c9aede17225a

SHA512
f024c86be9a5de97459411e7bd4cac18228d0dd77a96aa5f25168c3d4ff657067cf66d326923c16ad38913dff5b6fb16868f4207fa1101218ef4ce1b2a04b0c5

Download Submit
C:\Windows\SysWOW64\SERVICEMGR.EXE

Filesize
76KB

MD5
f7e8cba3b1d36a6a7334960278e309ba

SHA1
c01f4e83952cd545170c16109b89bbb640a04b5b

SHA256
e3d20d6ad818a918b26405e206f58143578823560c15172ca729fb21b5030c48

SHA512
63a943ec57f2443d0fc13400f71c7007f0e68ae1adddd336bc229ec68a64b819de04ab22448d6a9f98344c4f601eece3eda70be8683095f81c9036de7091c173

Download Submit
C:\Windows\SysWOW64\SERVICEMGR.EXE

Filesize
76KB

MD5
f7e8cba3b1d36a6a7334960278e309ba

SHA1
c01f4e83952cd545170c16109b89bbb640a04b5b

SHA256
e3d20d6ad818a918b26405e206f58143578823560c15172ca729fb21b5030c48

SHA512
63a943ec57f2443d0fc13400f71c7007f0e68ae1adddd336bc229ec68a64b819de04ab22448d6a9f98344c4f601eece3eda70be8683095f81c9036de7091c173

Download Submit