73d9a1fc91debec990ab05bb907ab57e52d5e6a7894ff80da75e1a6cc076c31e

General

Target

TeamsSetup_c_w_ (1).exe
Size

1.4MB
MD5

1db25ad763b0c754c7bc86e078d005d6
SHA1

9fa700fa5c4fdcb710164fa9f99cebab61f09faf
SHA256

73d9a1fc91debec990ab05bb907ab57e52d5e6a7894ff80da75e1a6cc076c31e
SHA512

fd2e8a5a4041fa0a0bad808c1e6886073a4ef8267666064b3c9021562ed9227f5bb1b7a5953b3c7018cd819c48e1fba45853ba01171514504b6f4eab3a6a6962
SSDEEP

24576:2NYuPOTryV7OXRnWl4bo5cOHxTrckA+K+K6zR6ZIV5jqzZVyHRe4L/7Z3mbK:uOX674Wb5HHx8WKF6zR7YZoHRe4LDZ3P

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1916	Update.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	TeamsSetup_c_w_ (1).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	Update.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1916	2508	TeamsSetup_c_w_ (1).exe	28
PID 2508 wrote to memory of 1916	2508	TeamsSetup_c_w_ (1).exe	28
PID 2508 wrote to memory of 1916	2508	TeamsSetup_c_w_ (1).exe	28
PID 2508 wrote to memory of 1916	2508	TeamsSetup_c_w_ (1).exe	28
PID 2508 wrote to memory of 1916	2508	TeamsSetup_c_w_ (1).exe	28
PID 2508 wrote to memory of 1916	2508	TeamsSetup_c_w_ (1).exe	28
PID 2508 wrote to memory of 1916	2508	TeamsSetup_c_w_ (1).exe	28

C:\Users\Admin\AppData\Local\Temp\TeamsSetup_c_w_ (1).exe
"C:\Users\Admin\AppData\Local\Temp\TeamsSetup_c_w_ (1).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=TeamsSetup_c_w_ (1).exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
959846eab4185b8657364269229ef16b

SHA1
f22a2b3e81bfa12ebc120e7ba9c0eabd33842644

SHA256
ffe7e8f74c16866af922509914b05d1b7c166213f10d8c383051377b7cfdfcb3

SHA512
b5eb5d446c80d8e7495bdc4564375612c761f6296263f1cb75fec4a0bcc3b20d22abe6bb1f6a65caaef5475d4731a132d2b0333e374e97df817605602b490e9c

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
80B

MD5
1afcc3a53b2154f10e73bb2e766f4e05

SHA1
feede5eb677d8659ef7824c3d78e32c1c3cdb9c7

SHA256
00d7742ca8257126b875ed941a04fd500111ec0ad557984d825619f09e93972e

SHA512
846ccad1e382f163af2aacfa7f428bc5c0e794bba734207a0875fdd94c3f383c0f7eb6093eeb289f251b84d35bfd0efb1819b9d61b0d1f34daf5b3911748787c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab892F.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar899F.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
51df27f1e4386ade475e958dd8f6b955

SHA1
25045c75fecdce5348da601b43e05eaad4de19f9

SHA256
a212f8d6e2b6d7fb4991c35b5458d4be251ffa1467bb3355055324da948cf4f1

SHA512
219192ebbc64ae5b2c6d78774ecbba7e3f6c503dd70a4bf61b261094b2e1a4b6efba004e9ae52f60615fa4f073d7717186c2b0ba5fac389aae485f1c9063ecbe

Download Submit
memory/1916-63-0x00000000001F0000-0x0000000000466000-memory.dmp

Filesize
2.5MB

Download
memory/1916-289-0x0000000004490000-0x00000000044D0000-memory.dmp

Filesize
256KB

Download
memory/1916-65-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1916-64-0x0000000004490000-0x00000000044D0000-memory.dmp

Filesize
256KB

Download
memory/2508-571-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads