49d03705739faacb94c8025aaa432597d309fe96026c97ea4f0412bbf09f7a2e

Resubmissions

14-06-2023 15:31

230614-sye5jsah4z 7

13-06-2023 03:59

09-06-2023 03:51

09-06-2023 03:51

09-06-2023 03:33

Analysis

max time kernel
7s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cyber Security Support.exe
Size

22.0MB
MD5

8452fe515826ab6f43eff16918a40e32
SHA1

64859677fd830793f787fa87c7b29f75883da5cd
SHA256

49d03705739faacb94c8025aaa432597d309fe96026c97ea4f0412bbf09f7a2e
SHA512

6429fa27c63290a777ab6836e7e97b552afdf396a505876fef068929af3da40be01eb505809e4e5bcbb8421ee401439e14a345854b6a17b8ffa8f43375728994
SSDEEP

393216:KOTMIRuiduUzRK3oMS6smRo6SxIM/L/JUH6eBkpH1ed/cViEZs1e4Vj5NnExjuwM:Fg1Oo4WsmRorIMbJUHmpVPiE29XnExjg

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Cyber Security Support.exe

description	pid	process	target process
PID 2032 wrote to memory of 1436	2032	Cyber Security Support.exe	reg.exe
PID 2032 wrote to memory of 1436	2032	Cyber Security Support.exe	reg.exe
PID 2032 wrote to memory of 1436	2032	Cyber Security Support.exe	reg.exe
PID 2032 wrote to memory of 1436	2032	Cyber Security Support.exe	reg.exe
PID 2032 wrote to memory of 308	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 308	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 308	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 308	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1548	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1548	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1548	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1548	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1516	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1516	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1516	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1516	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1108	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1108	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1108	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1108	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1176	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1176	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1176	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1176	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1096	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1096	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1096	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1096	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1652	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1652	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1652	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1652	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 2024	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 2024	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 2024	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 2024	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1152	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1152	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1152	2032	Cyber Security Support.exe	cmd.exe
PID 2032 wrote to memory of 1152	2032	Cyber Security Support.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Cyber Security Support.exe
"C:\Users\Admin\AppData\Local\Temp\Cyber Security Support.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" Add "HKCU\Software\TeamViewer" /v "TeamViewerTermsOfUseAcceptedQS" /t REG_DWORD /d "1" /f
2⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_ar.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_ar.dll"
2⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_bg.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_bg.dll"
2⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_cs.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_cs.dll"
2⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_da.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_da.dll"
2⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_de.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_de.dll"
2⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_el.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_el.dll"
2⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_en.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_en.dll"
2⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_es.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_es.dll"
2⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_fi.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_fi.dll"
2⤵
PID:1152

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads