Malware Analysis Report

2024-10-23 20:55

Sample ID 230718-l423yaac6t
Target TeamViewer_Setup.exe
SHA256 4c477e0e78863415e64ce9656ef2d1db0e45e60d02ccd21ad52ae51f637815f1
Tags
rat vanillarat evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c477e0e78863415e64ce9656ef2d1db0e45e60d02ccd21ad52ae51f637815f1

Threat Level: Known bad

The file TeamViewer_Setup.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat evasion persistence trojan

Vanilla Rat payload

Vanillarat family

UAC bypass

VanillaRat

Vanilla Rat payload

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-18 10:06

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-18 10:06

Reported

2023-07-18 10:06

Platform

win10-20230703-en

Max time kernel

8s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsetNOD32 = "C:\\Windows\\System32\\dllhоst.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dllhоst.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
File created C:\Windows\SysWOW64\install.cmd C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1440 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1440 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\install.cmd

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 1

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3aeb855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/1016-120-0x0000000000DC0000-0x0000000000E3E000-memory.dmp

memory/1016-121-0x00000000057F0000-0x000000000588C000-memory.dmp

memory/1016-122-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/1016-128-0x0000000073DC0000-0x00000000744AE000-memory.dmp

C:\Windows\SysWOW64\install.cmd

MD5 6bb1de604664795e452c73659ff8ced7
SHA1 93587cb366f8f46ad592f4eb9850837e1cafef73
SHA256 69e87d18a60bc161d236af5471c6598b6897e297d2b26f0b3e9a63bd4475501f
SHA512 e71dda2217b6bf338e8ade43249d7a726ee93d504760c11694232b1d4b15d41557d8f61f451f6c8b67f86b9acc16e214d2dc479fed24c4e67bd1169dff553bcd