Malware Analysis Report

2024-10-23 20:55

Sample ID 230717-m2tjfsbd28
Target TeamViewer_Setup.exe
SHA256 203b9d7b8796ea071beb263723991d57a40b25b77d0cbd2e4bd8dff62601331e
Tags
rat vanillarat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

203b9d7b8796ea071beb263723991d57a40b25b77d0cbd2e4bd8dff62601331e

Threat Level: Known bad

The file TeamViewer_Setup.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat persistence

Vanilla Rat payload

VanillaRat

Vanillarat family

Vanilla Rat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-17 10:58

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-17 10:58

Reported

2023-07-17 11:00

Platform

win7-20230712-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\сsrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Windows\\SysWOW64\\dllhоst.exe" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dllhоst.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
File created C:\Windows\SysWOW64\сsrss.exe C:\Windows\SysWOW64\dllhоst.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\сsrss.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhоst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\сsrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Windows\SysWOW64\dllhоst.exe

"C:\Windows\System32\dllhоst.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Windows\SysWOW64\dllhоst.exe /f

C:\Windows\SysWOW64\сsrss.exe

"C:\Windows\SysWOW64\сsrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
DE 3.67.15.169:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 tcp

Files

memory/2324-54-0x0000000001230000-0x0000000001262000-memory.dmp

memory/2324-55-0x0000000074750000-0x0000000074E3E000-memory.dmp

\Windows\SysWOW64\dllhоst.exe

MD5 2bdc96dbce5e135529f676c6b88764c7
SHA1 580f2ab7c6f326c623bbd7ae4868f42daa0571e4
SHA256 a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb
SHA512 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453

C:\Windows\SysWOW64\dllhоst.exe

MD5 2bdc96dbce5e135529f676c6b88764c7
SHA1 580f2ab7c6f326c623bbd7ae4868f42daa0571e4
SHA256 a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb
SHA512 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453

C:\Windows\SysWOW64\dllhоst.exe

MD5 2bdc96dbce5e135529f676c6b88764c7
SHA1 580f2ab7c6f326c623bbd7ae4868f42daa0571e4
SHA256 a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb
SHA512 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453

memory/1356-64-0x00000000001C0000-0x00000000001E8000-memory.dmp

memory/1356-63-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/2324-65-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/1356-66-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

\Windows\SysWOW64\сsrss.exe

MD5 baf28af74bec2fee218fc030c48ff403
SHA1 904379111848e20d2910e7122ea0713dc7dd76f4
SHA256 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c
SHA512 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081

C:\Windows\SysWOW64\сsrss.exe

MD5 baf28af74bec2fee218fc030c48ff403
SHA1 904379111848e20d2910e7122ea0713dc7dd76f4
SHA256 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c
SHA512 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081

C:\Windows\SysWOW64\сsrss.exe

MD5 baf28af74bec2fee218fc030c48ff403
SHA1 904379111848e20d2910e7122ea0713dc7dd76f4
SHA256 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c
SHA512 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081

memory/3036-74-0x0000000000080000-0x00000000000A2000-memory.dmp

memory/3036-75-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/3036-76-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/1356-77-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/1356-78-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

memory/3036-79-0x0000000074750000-0x0000000074E3E000-memory.dmp

memory/3036-80-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/3036-81-0x0000000004C40000-0x0000000004C80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-17 10:58

Reported

2023-07-17 11:00

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\dllhоst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\сsrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Windows\\SysWOW64\\dllhоst.exe" C:\Windows\SysWOW64\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dllhоst.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
File created C:\Windows\SysWOW64\сsrss.exe C:\Windows\SysWOW64\dllhоst.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhоst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhоst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Windows\SysWOW64\dllhоst.exe

"C:\Windows\System32\dllhоst.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Windows\SysWOW64\dllhоst.exe /f

C:\Windows\SysWOW64\сsrss.exe

"C:\Windows\SysWOW64\сsrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 232.56.68.3.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 168.188.125.3.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
DE 3.125.188.168:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp
DE 3.68.56.232:13001 7.tcp.eu.ngrok.io tcp

Files

memory/2868-133-0x0000000000940000-0x0000000000972000-memory.dmp

memory/2868-134-0x0000000074B80000-0x0000000075330000-memory.dmp

C:\Windows\SysWOW64\dllhоst.exe

MD5 2bdc96dbce5e135529f676c6b88764c7
SHA1 580f2ab7c6f326c623bbd7ae4868f42daa0571e4
SHA256 a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb
SHA512 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453

C:\Windows\SysWOW64\dllhоst.exe

MD5 2bdc96dbce5e135529f676c6b88764c7
SHA1 580f2ab7c6f326c623bbd7ae4868f42daa0571e4
SHA256 a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb
SHA512 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453

C:\Windows\SysWOW64\dllhоst.exe

MD5 2bdc96dbce5e135529f676c6b88764c7
SHA1 580f2ab7c6f326c623bbd7ae4868f42daa0571e4
SHA256 a0ad6a336ea6eb88b3ee5c053ad14c6407de5baa3220bc66059d093e0d9d9ceb
SHA512 5682b35829f564ee41f8474288fd55e892373686c17084b10ee739e2dd0fa4d63a147a795f7f27ae32da599686d9458091b8a716272d5ad8d7fbe56b7c0cb453

memory/2016-149-0x0000000000630000-0x0000000000658000-memory.dmp

memory/2016-148-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/2868-147-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/2016-150-0x0000000004F20000-0x0000000004FBC000-memory.dmp

memory/2016-151-0x0000000005570000-0x0000000005B14000-memory.dmp

memory/2016-152-0x0000000004FC0000-0x0000000005052000-memory.dmp

memory/2016-153-0x0000000005230000-0x0000000005240000-memory.dmp

memory/2016-154-0x0000000004F10000-0x0000000004F1A000-memory.dmp

memory/2016-155-0x00000000051B0000-0x0000000005206000-memory.dmp

C:\Windows\SysWOW64\сsrss.exe

MD5 baf28af74bec2fee218fc030c48ff403
SHA1 904379111848e20d2910e7122ea0713dc7dd76f4
SHA256 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c
SHA512 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081

C:\Windows\SysWOW64\сsrss.exe

MD5 baf28af74bec2fee218fc030c48ff403
SHA1 904379111848e20d2910e7122ea0713dc7dd76f4
SHA256 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c
SHA512 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081

C:\Windows\SysWOW64\сsrss.exe

MD5 baf28af74bec2fee218fc030c48ff403
SHA1 904379111848e20d2910e7122ea0713dc7dd76f4
SHA256 60ee28f72aad91470ce00cb75c029b0b2fbf440d734bdec00bd5bf8a6adfca5c
SHA512 6fcc43d6898a7e60a8c9ebdac31a4fc074ad0c20cbe4297b8d632ab653a01450a6b57cd43ae5126ff542517f1b6d43c56d62d23c863aa2e70650a9d265e6d081

memory/1320-167-0x0000000000110000-0x0000000000132000-memory.dmp

memory/1320-168-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/1320-169-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/1320-170-0x0000000008FE0000-0x0000000009046000-memory.dmp

memory/2016-171-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/2016-172-0x0000000005230000-0x0000000005240000-memory.dmp

memory/1320-173-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/1320-174-0x0000000004C40000-0x0000000004C50000-memory.dmp