Resubmissions
14-06-2023 15:31
230614-sye5jsah4z 713-06-2023 03:59
230613-ekd4fafb7x 709-06-2023 03:51
230609-eevh8sbf3z 1009-06-2023 03:51
230609-eelw4abf3y 309-06-2023 03:33
230609-d4p5dabe9x 10Analysis
-
max time kernel
7s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-06-2023 03:51
Static task
static1
Behavioral task
behavioral1
Sample
Cyber Security Support.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Cyber Security Support.exe
Resource
win10v2004-20230220-en
General
-
Target
Cyber Security Support.exe
-
Size
22.0MB
-
MD5
8452fe515826ab6f43eff16918a40e32
-
SHA1
64859677fd830793f787fa87c7b29f75883da5cd
-
SHA256
49d03705739faacb94c8025aaa432597d309fe96026c97ea4f0412bbf09f7a2e
-
SHA512
6429fa27c63290a777ab6836e7e97b552afdf396a505876fef068929af3da40be01eb505809e4e5bcbb8421ee401439e14a345854b6a17b8ffa8f43375728994
-
SSDEEP
393216:KOTMIRuiduUzRK3oMS6smRo6SxIM/L/JUH6eBkpH1ed/cViEZs1e4Vj5NnExjuwM:Fg1Oo4WsmRorIMbJUHmpVPiE29XnExjg
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
Cyber Security Support.exedescription pid process target process PID 2032 wrote to memory of 1436 2032 Cyber Security Support.exe reg.exe PID 2032 wrote to memory of 1436 2032 Cyber Security Support.exe reg.exe PID 2032 wrote to memory of 1436 2032 Cyber Security Support.exe reg.exe PID 2032 wrote to memory of 1436 2032 Cyber Security Support.exe reg.exe PID 2032 wrote to memory of 308 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 308 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 308 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 308 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1548 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1548 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1548 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1548 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1516 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1516 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1516 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1516 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1108 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1108 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1108 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1108 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1176 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1176 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1176 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1176 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1096 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1096 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1096 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1096 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1652 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1652 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1652 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1652 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 2024 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 2024 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 2024 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 2024 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1152 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1152 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1152 2032 Cyber Security Support.exe cmd.exe PID 2032 wrote to memory of 1152 2032 Cyber Security Support.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cyber Security Support.exe"C:\Users\Admin\AppData\Local\Temp\Cyber Security Support.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" Add "HKCU\Software\TeamViewer" /v "TeamViewerTermsOfUseAcceptedQS" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_ar.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_ar.dll"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_bg.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_bg.dll"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_cs.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_cs.dll"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_da.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_da.dll"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_de.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_de.dll"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_el.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_el.dll"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_en.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_en.dll"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_es.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_es.dll"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c If Exist "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_fi.dll" xcopy /y "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Resource_fi.dll"2⤵