Malware Analysis Report

2024-10-19 08:13

Sample ID 230719-tw7mfsac8w
Target TeamViewer_Setup.exe
SHA256 7411a95cf987a085c9bb3990cab95b8479e752b1c4370c9c256c07dd64f6b7b9
Tags
rat vanillarat evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7411a95cf987a085c9bb3990cab95b8479e752b1c4370c9c256c07dd64f6b7b9

Threat Level: Known bad

The file TeamViewer_Setup.exe was found to be: Known bad.

Malicious Activity Summary

rat vanillarat evasion persistence trojan

Vanillarat family

VanillaRat

UAC bypass

Vanilla Rat payload

Vanilla Rat payload

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-19 16:25

Signatures

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Vanillarat family

vanillarat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-19 16:25

Reported

2023-07-19 16:26

Platform

win7-20230712-en

Max time kernel

9s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EsetNOD32 = "C:\\Windows\\System32\\dllhоst.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dllhоst.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
File created C:\Windows\SysWOW64\install.cmd C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1636 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1480 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1480 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1480 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 1480 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\System32\install.cmd

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 1

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2236-54-0x0000000000C80000-0x0000000000CFE000-memory.dmp

memory/2236-55-0x0000000074C70000-0x000000007535E000-memory.dmp

C:\Windows\SysWOW64\install.cmd

MD5 6bb1de604664795e452c73659ff8ced7
SHA1 93587cb366f8f46ad592f4eb9850837e1cafef73
SHA256 69e87d18a60bc161d236af5471c6598b6897e297d2b26f0b3e9a63bd4475501f
SHA512 e71dda2217b6bf338e8ade43249d7a726ee93d504760c11694232b1d4b15d41557d8f61f451f6c8b67f86b9acc16e214d2dc479fed24c4e67bd1169dff553bcd

C:\Windows\SysWOW64\install.cmd

MD5 6bb1de604664795e452c73659ff8ced7
SHA1 93587cb366f8f46ad592f4eb9850837e1cafef73
SHA256 69e87d18a60bc161d236af5471c6598b6897e297d2b26f0b3e9a63bd4475501f
SHA512 e71dda2217b6bf338e8ade43249d7a726ee93d504760c11694232b1d4b15d41557d8f61f451f6c8b67f86b9acc16e214d2dc479fed24c4e67bd1169dff553bcd

memory/2236-65-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/552-66-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/3056-67-0x0000000002760000-0x0000000002761000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-19 16:25

Reported

2023-07-19 16:26

Platform

win10-20230703-en

Max time kernel

7s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsetNOD32 = "C:\\Windows\\System32\\dllhоst.exe" C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\install.cmd C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
File created C:\Windows\SysWOW64\dllhоst.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4968 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3764 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2268 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2268 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2268 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\install.cmd

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 1

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3ae5855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/4968-117-0x00000000002E0000-0x000000000035E000-memory.dmp

memory/4968-118-0x0000000073D20000-0x000000007440E000-memory.dmp

memory/4968-119-0x0000000004C80000-0x0000000004D1C000-memory.dmp

memory/4968-124-0x0000000073D20000-0x000000007440E000-memory.dmp

C:\Windows\SysWOW64\install.cmd

MD5 6bb1de604664795e452c73659ff8ced7
SHA1 93587cb366f8f46ad592f4eb9850837e1cafef73
SHA256 69e87d18a60bc161d236af5471c6598b6897e297d2b26f0b3e9a63bd4475501f
SHA512 e71dda2217b6bf338e8ade43249d7a726ee93d504760c11694232b1d4b15d41557d8f61f451f6c8b67f86b9acc16e214d2dc479fed24c4e67bd1169dff553bcd

Analysis: behavioral3

Detonation Overview

Submitted

2023-07-19 16:25

Reported

2023-07-19 16:26

Platform

win10v2004-20230703-en

Max time kernel

15s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

VanillaRat

rat vanillarat

Vanilla Rat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EsetNOD32 = "C:\\Windows\\System32\\dllhоst.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\dllhоst.exe C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
File created C:\Windows\SysWOW64\install.cmd C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "243" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2380 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 312 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 312 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 312 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 312 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 312 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 312 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

"C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\System32\install.cmd

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v EsetNOD32 /t REG_SZ /d C:\Windows\System32\dllhоst.exe /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\shutdown.exe

shutdown -r -t 1

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3993855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp

Files

memory/4584-133-0x00000000005F0000-0x000000000066E000-memory.dmp

memory/4584-134-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/4584-135-0x0000000004FC0000-0x000000000505C000-memory.dmp

C:\Windows\SysWOW64\install.cmd

MD5 6bb1de604664795e452c73659ff8ced7
SHA1 93587cb366f8f46ad592f4eb9850837e1cafef73
SHA256 69e87d18a60bc161d236af5471c6598b6897e297d2b26f0b3e9a63bd4475501f
SHA512 e71dda2217b6bf338e8ade43249d7a726ee93d504760c11694232b1d4b15d41557d8f61f451f6c8b67f86b9acc16e214d2dc479fed24c4e67bd1169dff553bcd

memory/4584-141-0x0000000074B00000-0x00000000752B0000-memory.dmp