eefe1cc1b637e823908ad21afc46a2ca593d506eb0f136503884cf373b88c7f5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee9657b36541a633ad8a1018bcd71013.exe
Size

5.6MB
MD5

ee9657b36541a633ad8a1018bcd71013
SHA1

41347d07644f7af6f88203a31f415ce6606d9503
SHA256

eefe1cc1b637e823908ad21afc46a2ca593d506eb0f136503884cf373b88c7f5
SHA512

457ed06148641408a67f10c92d8b0e3ffa4613eacaded70ee7b6b832a97bc736bf255eeef004670f1b7ea2035b0e107d01b890f36e7eb1128a61514081464011
SSDEEP

98304:IFpxx/qkSQhrS8W2siTwbv8F7nDaCFuw2vawTMzM:I7tsCmv8F52v5AzM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ee9657b36541a633ad8a1018bcd71013.exe

Executes dropped EXE 1 IoCs

pid	Process
4236	TeamViewer_.exe

Loads dropped DLL 8 IoCs

pid	Process
2092	ee9657b36541a633ad8a1018bcd71013.exe
4236	TeamViewer_.exe
4236	TeamViewer_.exe
4236	TeamViewer_.exe
4236	TeamViewer_.exe
4236	TeamViewer_.exe
4236	TeamViewer_.exe
4236	TeamViewer_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 4236	2092	ee9657b36541a633ad8a1018bcd71013.exe	84
PID 2092 wrote to memory of 4236	2092	ee9657b36541a633ad8a1018bcd71013.exe	84
PID 2092 wrote to memory of 4236	2092	ee9657b36541a633ad8a1018bcd71013.exe	84

C:\Users\Admin\AppData\Local\Temp\ee9657b36541a633ad8a1018bcd71013.exe
"C:\Users\Admin\AppData\Local\Temp\ee9657b36541a633ad8a1018bcd71013.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe
  "C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe

Filesize
5.4MB

MD5
751dfbc3b17e13a94c5d715c648a15a8

SHA1
8dc2369cbcd0b52f27ebca8781193e0eb94929b6

SHA256
3a1548b20ddf473cdecf17b810441799a15ed9ead2388d2a574ef5392d2db7bb

SHA512
72e624df66a7615998089d178117a1e8b7055372b8c2631cf12402a9ee96a1b99f6ffd615545d535864e472c09dfb72a7fc7b9136b9a19b5a98d2a200c73f78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe

Filesize
5.4MB

MD5
751dfbc3b17e13a94c5d715c648a15a8

SHA1
8dc2369cbcd0b52f27ebca8781193e0eb94929b6

SHA256
3a1548b20ddf473cdecf17b810441799a15ed9ead2388d2a574ef5392d2db7bb

SHA512
72e624df66a7615998089d178117a1e8b7055372b8c2631cf12402a9ee96a1b99f6ffd615545d535864e472c09dfb72a7fc7b9136b9a19b5a98d2a200c73f78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version8\TeamViewer_.exe

Filesize
5.4MB

MD5
751dfbc3b17e13a94c5d715c648a15a8

SHA1
8dc2369cbcd0b52f27ebca8781193e0eb94929b6

SHA256
3a1548b20ddf473cdecf17b810441799a15ed9ead2388d2a574ef5392d2db7bb

SHA512
72e624df66a7615998089d178117a1e8b7055372b8c2631cf12402a9ee96a1b99f6ffd615545d535864e472c09dfb72a7fc7b9136b9a19b5a98d2a200c73f78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\TvGetVersion.dll

Filesize
143KB

MD5
5c8d6dd6c3e9ea71c6147d271e9ae71b

SHA1
34e835fbb7764fc8d227ddb8895f31c7fdc33981

SHA256
8aff7b00a163885a8b0b92ca4c01ee442f5c14fbdb2f0d65787622301a913031

SHA512
16e4868a4ef2f08c3368e8f2ca2996fccabcd1150b9f2800fc1393ba9da5c7d046db63560367911c808d433c6e408fc2aab7c1e81f3cda89e75a8017970d03fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\TvGetVersion.dll

Filesize
143KB

MD5
5c8d6dd6c3e9ea71c6147d271e9ae71b

SHA1
34e835fbb7764fc8d227ddb8895f31c7fdc33981

SHA256
8aff7b00a163885a8b0b92ca4c01ee442f5c14fbdb2f0d65787622301a913031

SHA512
16e4868a4ef2f08c3368e8f2ca2996fccabcd1150b9f2800fc1393ba9da5c7d046db63560367911c808d433c6e408fc2aab7c1e81f3cda89e75a8017970d03fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\TvGetVersion.dll

Filesize
143KB

MD5
5c8d6dd6c3e9ea71c6147d271e9ae71b

SHA1
34e835fbb7764fc8d227ddb8895f31c7fdc33981

SHA256
8aff7b00a163885a8b0b92ca4c01ee442f5c14fbdb2f0d65787622301a913031

SHA512
16e4868a4ef2f08c3368e8f2ca2996fccabcd1150b9f2800fc1393ba9da5c7d046db63560367911c808d433c6e408fc2aab7c1e81f3cda89e75a8017970d03fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\TvGetVersion.dll

Filesize
143KB

MD5
5c8d6dd6c3e9ea71c6147d271e9ae71b

SHA1
34e835fbb7764fc8d227ddb8895f31c7fdc33981

SHA256
8aff7b00a163885a8b0b92ca4c01ee442f5c14fbdb2f0d65787622301a913031

SHA512
16e4868a4ef2f08c3368e8f2ca2996fccabcd1150b9f2800fc1393ba9da5c7d046db63560367911c808d433c6e408fc2aab7c1e81f3cda89e75a8017970d03fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\environment_unicode.ini

Filesize
1KB

MD5
f4502cc87095880030c92b9470839cab

SHA1
093861d96fceb1bbc5e479439b60725c61692468

SHA256
9b738cc8eeed9dc2759e2ef7652a78940d62e71e4c31ac71ed1fd551c79a91b1

SHA512
c9cad13a453a671f15d18d29e4a047720f538b5cd3f76522c0af58763ed61ad3596c0bc1786e97b6e1f5f2bf5acce09d8271ee69b90ceba8b6fadc2f6d7bc9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\host_unicode.ini

Filesize
2KB

MD5
4c0121229ab96183e2d63ae9bf4f8538

SHA1
a1527d04f05f09160f22f2067f42fa297e43946e

SHA256
189c98328471e425bcbfacd2bd2c3cace41378a2e8a7e23b4f903ecde1728c72

SHA512
bd36f9d4a02a31de70044d0aa303d51362153d9af09ed35f3c3f96c89498e79c14b4d296d1f52b0cd1f827c7d316df4ede5ebb5c3b64e32056219d8d29cd2add

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\start_unicode.ini

Filesize
2KB

MD5
6ef26b17728dd1d92e71eb71bfda85ee

SHA1
fb619358be625e0cb61060e477dc2ae405b5586a

SHA256
78d582f290d461043fecf5f57289835843e7c9a11d9c15006d51332126dbf213

SHA512
efff42fb8afd1fc5dfa402aa5832ff06482f3007a3f256f4de7fc081eebd5a092a20c0aaa01cf2326ead7e0f8e0c8b3c831f914820978c40c2220255c6b2bdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\start_unicode.ini

Filesize
2KB

MD5
8cc44acd93aee61ce5936dc04daadb9d

SHA1
97d31b16c002b9b22d95ced34831b454c442479e

SHA256
90fc5a507b9395f5ef7a2600d00b3c51a635fd24612e9af4f2ae175e1d840841

SHA512
81849945172c902cfbf857568bb6a21fb6e0abe10babe61a7ed9b28ee514311dabac8b9cd1629e1e5c2ecb1431abca179b81ea8da014fc6aa0f7430069f70331

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB184.tmp\vpn_unicode.ini

Filesize
1KB

MD5
ff6bfe683e5d20f5dc07b3e3cc95e43b

SHA1
72bcb461a2b7251713cd6969ab79ff6fd3f511de

SHA256
ae08ce2fa1e407ee4152d46b26e1e764e6848dc63374c0e2023c1e8537a39382

SHA512
b09887bb1863f0c508721e8fca4d8359b03de29915ed31d8eb53d9a9c2b359222308eb40b4704681cf6de6dd038e80a0e9053090d90bf0649eeb0c5b0a5b34e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAAEC.tmp\TvGetVersion.dll

Filesize
143KB

MD5
5c8d6dd6c3e9ea71c6147d271e9ae71b

SHA1
34e835fbb7764fc8d227ddb8895f31c7fdc33981

SHA256
8aff7b00a163885a8b0b92ca4c01ee442f5c14fbdb2f0d65787622301a913031

SHA512
16e4868a4ef2f08c3368e8f2ca2996fccabcd1150b9f2800fc1393ba9da5c7d046db63560367911c808d433c6e408fc2aab7c1e81f3cda89e75a8017970d03fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjAAEC.tmp\TvGetVersion.dll

Filesize
143KB

MD5
5c8d6dd6c3e9ea71c6147d271e9ae71b

SHA1
34e835fbb7764fc8d227ddb8895f31c7fdc33981

SHA256
8aff7b00a163885a8b0b92ca4c01ee442f5c14fbdb2f0d65787622301a913031

SHA512
16e4868a4ef2f08c3368e8f2ca2996fccabcd1150b9f2800fc1393ba9da5c7d046db63560367911c808d433c6e408fc2aab7c1e81f3cda89e75a8017970d03fb

Download Submit