Malware Analysis Report

2024-10-23 20:55

Sample ID 230718-mbc4sahe42
Target TeamViewer_Setup.exe
SHA256 4c477e0e78863415e64ce9656ef2d1db0e45e60d02ccd21ad52ae51f637815f1
Tags
rat vanillarat evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c477e0e78863415e64ce9656ef2d1db0e45e60d02ccd21ad52ae51f637815f1

Threat Level: Known bad

The file TeamViewer_Setup.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat evasion persistence trojan

VanillaRat

UAC bypass

Vanilla Rat payload

Vanillarat family

Vanilla Rat payload

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Modifies registry key

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-18 10:17

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-18 10:17

Reported

2023-07-18 10:17

Platform

win7-20230712-en

Max time kernel

7s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EsetNOD32 = "C:\\Windows\\System32\\dllhоst.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dllhоst.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
File created C:\Windows\SysWOW64\install.cmd C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2844 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2844 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2844 wrote to memory of 2860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2104 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2104 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2104 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\System32\install.cmd

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 1

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2892-54-0x0000000000D00000-0x0000000000D7E000-memory.dmp

memory/2892-55-0x0000000074AB0000-0x000000007519E000-memory.dmp

C:\Windows\SysWOW64\install.cmd

MD5 6bb1de604664795e452c73659ff8ced7
SHA1 93587cb366f8f46ad592f4eb9850837e1cafef73
SHA256 69e87d18a60bc161d236af5471c6598b6897e297d2b26f0b3e9a63bd4475501f
SHA512 e71dda2217b6bf338e8ade43249d7a726ee93d504760c11694232b1d4b15d41557d8f61f451f6c8b67f86b9acc16e214d2dc479fed24c4e67bd1169dff553bcd

C:\Windows\SysWOW64\install.cmd

MD5 6bb1de604664795e452c73659ff8ced7
SHA1 93587cb366f8f46ad592f4eb9850837e1cafef73
SHA256 69e87d18a60bc161d236af5471c6598b6897e297d2b26f0b3e9a63bd4475501f
SHA512 e71dda2217b6bf338e8ade43249d7a726ee93d504760c11694232b1d4b15d41557d8f61f451f6c8b67f86b9acc16e214d2dc479fed24c4e67bd1169dff553bcd

memory/2892-65-0x0000000074AB0000-0x000000007519E000-memory.dmp

memory/2876-66-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1900-67-0x00000000026E0000-0x00000000026E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-18 10:17

Reported

2023-07-18 10:17

Platform

win10v2004-20230703-en

Max time kernel

20s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsetNOD32 = "C:\\Windows\\System32\\dllhоst.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install.cmd C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
File created C:\Windows\SysWOW64\dllhоst.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "243" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 944 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2112 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1496 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1496 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1496 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1496 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1496 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1496 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\install.cmd

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 1

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa398a055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/944-134-0x0000000074DC0000-0x0000000075570000-memory.dmp

memory/944-133-0x0000000000130000-0x00000000001AE000-memory.dmp

memory/944-135-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

memory/944-140-0x0000000074DC0000-0x0000000075570000-memory.dmp

C:\Windows\SysWOW64\install.cmd

MD5 6bb1de604664795e452c73659ff8ced7
SHA1 93587cb366f8f46ad592f4eb9850837e1cafef73
SHA256 69e87d18a60bc161d236af5471c6598b6897e297d2b26f0b3e9a63bd4475501f
SHA512 e71dda2217b6bf338e8ade43249d7a726ee93d504760c11694232b1d4b15d41557d8f61f451f6c8b67f86b9acc16e214d2dc479fed24c4e67bd1169dff553bcd