58cc13489685181fbf21fd9ab5eda377d3b4b7f17434928c5bd65cc48e0cb9ec

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
03-02-2023 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeamsSetup_c_w_.exe
Size

1.4MB
MD5

54cff67f28596b80ad0167724918bd98
SHA1

cd2d1469482f5e421b1bf08a4b0e0a2081fd6078
SHA256

58cc13489685181fbf21fd9ab5eda377d3b4b7f17434928c5bd65cc48e0cb9ec
SHA512

0a21d26ccfe81f2dfd3793341297fd3521b8fa4f60bcce2d51b4857445cb6b6492b9cdab3d19b4b4e9cfebc42b121ac6b506e0ff2ca2688c5e8ff73eef1abb47
SSDEEP

24576:hNYuPOTryV7OXRnwa4bo5cOHxTrckA+K+K6zR6ZIV5jqzZVyHRe4Li7Z3ibs:TOX674wM5HHx8WKF6zR7YZoHRe4LWZ3J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	Update.exe

Loads dropped DLL 1 IoCs

pid	Process
1036	TeamsSetup_c_w_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	Update.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 1984	1036	TeamsSetup_c_w_.exe	28
PID 1036 wrote to memory of 1984	1036	TeamsSetup_c_w_.exe	28
PID 1036 wrote to memory of 1984	1036	TeamsSetup_c_w_.exe	28
PID 1036 wrote to memory of 1984	1036	TeamsSetup_c_w_.exe	28
PID 1036 wrote to memory of 1984	1036	TeamsSetup_c_w_.exe	28
PID 1036 wrote to memory of 1984	1036	TeamsSetup_c_w_.exe	28
PID 1036 wrote to memory of 1984	1036	TeamsSetup_c_w_.exe	28

C:\Users\Admin\AppData\Local\Temp\TeamsSetup_c_w_.exe
"C:\Users\Admin\AppData\Local\Temp\TeamsSetup_c_w_.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=TeamsSetup_c_w_.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
80B

MD5
1afcc3a53b2154f10e73bb2e766f4e05

SHA1
feede5eb677d8659ef7824c3d78e32c1c3cdb9c7

SHA256
00d7742ca8257126b875ed941a04fd500111ec0ad557984d825619f09e93972e

SHA512
846ccad1e382f163af2aacfa7f428bc5c0e794bba734207a0875fdd94c3f383c0f7eb6093eeb289f251b84d35bfd0efb1819b9d61b0d1f34daf5b3911748787c

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
memory/1036-54-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download
memory/1984-59-0x0000000000E50000-0x00000000010C6000-memory.dmp

Filesize
2.5MB

Download
memory/1984-61-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads