193c2a6d5fbc1912506f34c2e9e3c4f771fb37bd706489a89596b3e624bc8351

Analysis

max time kernel
134s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/06/2023, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeamViewer_Setup11.exe
Size

11.8MB
MD5

57ff9213c14a4b1d8cfa975f433f57b6
SHA1

265c90b7a5554e1705ecfe923b59f9757c7d92c3
SHA256

193c2a6d5fbc1912506f34c2e9e3c4f771fb37bd706489a89596b3e624bc8351
SHA512

1353f4036eeb2bca497605a3a2e8887b420651266ba1409690f03a370a76fe4325bd2fb6d324769da5da1ca0f5a420a98ccf6d2e0aa4840978bc993605e85a5a
SSDEEP

196608:2IwvMeH/E2bl55YZD1QPqglp2nnSAL2XlhZyojiadVTje4yWwYSaMtCfNftZG05F:qvdf95QDOPRWnS62VhHeaLjbviaZk0Cc

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
556	TeamViewer_.exe

Loads dropped DLL 15 IoCs

pid	Process
788	TeamViewer_Setup11.exe
788	TeamViewer_Setup11.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe
556	TeamViewer_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
556	TeamViewer_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 556	788	TeamViewer_Setup11.exe	27
PID 788 wrote to memory of 556	788	TeamViewer_Setup11.exe	27
PID 788 wrote to memory of 556	788	TeamViewer_Setup11.exe	27
PID 788 wrote to memory of 556	788	TeamViewer_Setup11.exe	27
PID 788 wrote to memory of 556	788	TeamViewer_Setup11.exe	27
PID 788 wrote to memory of 556	788	TeamViewer_Setup11.exe	27
PID 788 wrote to memory of 556	788	TeamViewer_Setup11.exe	27

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup11.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup11.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788
- C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
  "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
11.5MB

MD5
e485ef3f8cf434518e1e13616b5d8d2f

SHA1
7fedef81e8441863638dd907e2c0a9d9daa240f9

SHA256
7859d89989373b1ca83cab5a063c1b1e472e79c7c1cc971cd80f419e2ef9a006

SHA512
43a59e72f6f35d8ae8b7a50f0c6215f3a1676170dc0935b369d6ce76a85df1810510e174c31b78f81ee8fe3340be995ff6b1e67cbeb9e14e9c4b328f55760bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
11.5MB

MD5
e485ef3f8cf434518e1e13616b5d8d2f

SHA1
7fedef81e8441863638dd907e2c0a9d9daa240f9

SHA256
7859d89989373b1ca83cab5a063c1b1e472e79c7c1cc971cd80f419e2ef9a006

SHA512
43a59e72f6f35d8ae8b7a50f0c6215f3a1676170dc0935b369d6ce76a85df1810510e174c31b78f81ee8fe3340be995ff6b1e67cbeb9e14e9c4b328f55760bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
48B

MD5
3a8072bd36137a3e9b42b6d644cfe3dc

SHA1
bf6dc15cc09239121e81624abf95cd28839e772b

SHA256
88b96fc51d19efe47706eac926729c829e52b5bdab18899cfc3f8fcbceebaa4f

SHA512
f309725eb2d7000ab72c2722f90f4dcc9c88e9a43889eb262f3475f25ea45f30d61d94bfd64019190132c2736a9a227d03f3961fec6fb5e7189ecaca778b1892

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5E38.tmp\TvGetVersion.dll

Filesize
141KB

MD5
663fe1b2d25c55c3bde91052f178f6c2

SHA1
63e15d773eac5ed7307de6cf533d97d1f37fd65b

SHA256
eff5be397d881fa05640641a71eb43455d73fb6b70a1eb3b2f6efd9a59f01902

SHA512
97d5557e203802eb1708ac5414a177a2a6ea76e12c8e92e5af8c706396f201ed04f448002012e8186aecafed447ee7e962f29fb34992bcd9ab13c4250a924fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst7043.tmp\InstallOptions.dll

Filesize
15KB

MD5
033ee34c40e8fa85bf2739bcb2f3e186

SHA1
2ca942f35f77f37df3fc6097acac34f2e77341b7

SHA256
c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7

SHA512
2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst7043.tmp\TvGetVersion.dll

Filesize
153KB

MD5
d2c761a29981f8469a4c3071db73cd02

SHA1
7e3fa24665b4ddd615dbc2e9b07dd73595836930

SHA256
01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11

SHA512
420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst7043.tmp\UserInfo.dll

Filesize
4KB

MD5
9b0db6a6056e8e51ac35e602aeab769f

SHA1
b541c6d2635141cdc3a74f59d55db8df4a92e7ac

SHA256
925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c

SHA512
83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst7043.tmp\start_unicode.ini

Filesize
2KB

MD5
2a8a139cdab38b5f4264ae82850cbd22

SHA1
816e8acb2adc36c7f138f963a9802622dfc9536a

SHA256
94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b

SHA512
d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst7043.tmp\start_unicode.ini

Filesize
2KB

MD5
41f3b6044421251645f319b8aea27454

SHA1
df193487e1e2892d03d9f71f54979723308fee42

SHA256
82d0d23af27d2d577ffae3064ff66e34eb66deef5ec4cbd40e4eaa14a089e77b

SHA512
642e2b48bad77e4dab86a4979efbb23e909897cfd4ef4c55442254d39f694f18d2768662a285632bb744497df2b807b8e957a832953a3285782ec2ab31f74414

Download Submit
\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
11.5MB

MD5
e485ef3f8cf434518e1e13616b5d8d2f

SHA1
7fedef81e8441863638dd907e2c0a9d9daa240f9

SHA256
7859d89989373b1ca83cab5a063c1b1e472e79c7c1cc971cd80f419e2ef9a006

SHA512
43a59e72f6f35d8ae8b7a50f0c6215f3a1676170dc0935b369d6ce76a85df1810510e174c31b78f81ee8fe3340be995ff6b1e67cbeb9e14e9c4b328f55760bc1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5E38.tmp\TvGetVersion.dll

Filesize
141KB

MD5
663fe1b2d25c55c3bde91052f178f6c2

SHA1
63e15d773eac5ed7307de6cf533d97d1f37fd65b

SHA256
eff5be397d881fa05640641a71eb43455d73fb6b70a1eb3b2f6efd9a59f01902

SHA512
97d5557e203802eb1708ac5414a177a2a6ea76e12c8e92e5af8c706396f201ed04f448002012e8186aecafed447ee7e962f29fb34992bcd9ab13c4250a924fbc

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\InstallOptions.dll

Filesize
15KB

MD5
033ee34c40e8fa85bf2739bcb2f3e186

SHA1
2ca942f35f77f37df3fc6097acac34f2e77341b7

SHA256
c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7

SHA512
2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\InstallOptions.dll

Filesize
15KB

MD5
033ee34c40e8fa85bf2739bcb2f3e186

SHA1
2ca942f35f77f37df3fc6097acac34f2e77341b7

SHA256
c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7

SHA512
2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\InstallOptions.dll

Filesize
15KB

MD5
033ee34c40e8fa85bf2739bcb2f3e186

SHA1
2ca942f35f77f37df3fc6097acac34f2e77341b7

SHA256
c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7

SHA512
2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\InstallOptions.dll

Filesize
15KB

MD5
033ee34c40e8fa85bf2739bcb2f3e186

SHA1
2ca942f35f77f37df3fc6097acac34f2e77341b7

SHA256
c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7

SHA512
2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\TvGetVersion.dll

Filesize
153KB

MD5
d2c761a29981f8469a4c3071db73cd02

SHA1
7e3fa24665b4ddd615dbc2e9b07dd73595836930

SHA256
01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11

SHA512
420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\TvGetVersion.dll

Filesize
153KB

MD5
d2c761a29981f8469a4c3071db73cd02

SHA1
7e3fa24665b4ddd615dbc2e9b07dd73595836930

SHA256
01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11

SHA512
420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\TvGetVersion.dll

Filesize
153KB

MD5
d2c761a29981f8469a4c3071db73cd02

SHA1
7e3fa24665b4ddd615dbc2e9b07dd73595836930

SHA256
01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11

SHA512
420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\TvGetVersion.dll

Filesize
153KB

MD5
d2c761a29981f8469a4c3071db73cd02

SHA1
7e3fa24665b4ddd615dbc2e9b07dd73595836930

SHA256
01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11

SHA512
420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\TvGetVersion.dll

Filesize
153KB

MD5
d2c761a29981f8469a4c3071db73cd02

SHA1
7e3fa24665b4ddd615dbc2e9b07dd73595836930

SHA256
01abf435f6dcc89560a068a9af0c2e6f067d7d4b1a6a0b848b40ecb907885d11

SHA512
420e33d24da8392037a3afd413df96cc650b5c5a25de1e10d0859cf926b149a77197bbcd59313b0a96e115add4c7ad7fe712a6d14bb072cb46eb6bd62a1d369c

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\UserInfo.dll

Filesize
4KB

MD5
9b0db6a6056e8e51ac35e602aeab769f

SHA1
b541c6d2635141cdc3a74f59d55db8df4a92e7ac

SHA256
925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c

SHA512
83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\UserInfo.dll

Filesize
4KB

MD5
9b0db6a6056e8e51ac35e602aeab769f

SHA1
b541c6d2635141cdc3a74f59d55db8df4a92e7ac

SHA256
925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c

SHA512
83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

Download Submit
\Users\Admin\AppData\Local\Temp\nst7043.tmp\linker.dll

Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
memory/556-314-0x0000000006790000-0x000000000679E000-memory.dmp

Filesize
56KB

Download