808b319d355192973423e7cc8627da66f4da8cc3425fc6c944cfd33fac14f440

Analysis

max time kernel
129s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeamsSetup_c_w_.exe
Size

1.4MB
MD5

1d1958ef6d1ae9a3d1f805ab29b44ae7
SHA1

3ac34d8071efd38a665147cf9ebac513f05c8576
SHA256

808b319d355192973423e7cc8627da66f4da8cc3425fc6c944cfd33fac14f440
SHA512

e8ff4eab25dcbcaa227b84f8e227c9ae5b3115f1d4f979091b5f61ac18cd6f2021ec318d5f382193d3bebe6977c2b23e5c009ba7e0fcf3ad289b61b92ab9bcb6
SSDEEP

24576:P9Yu8GgnSf7uw7w8q4Lgqc25Ztn064avviB1f42xVP3aIAU9W4iza7OHd7Z3mfqm:OGMo7N/8P253nTfvvIfvtqDU9vUa7UdA

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1448	Update.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	TeamsSetup_c_w_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2460	TeamsSetup_c_w_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	Update.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1448	2460	TeamsSetup_c_w_.exe	28
PID 2460 wrote to memory of 1448	2460	TeamsSetup_c_w_.exe	28
PID 2460 wrote to memory of 1448	2460	TeamsSetup_c_w_.exe	28
PID 2460 wrote to memory of 1448	2460	TeamsSetup_c_w_.exe	28
PID 2460 wrote to memory of 1448	2460	TeamsSetup_c_w_.exe	28
PID 2460 wrote to memory of 1448	2460	TeamsSetup_c_w_.exe	28
PID 2460 wrote to memory of 1448	2460	TeamsSetup_c_w_.exe	28

C:\Users\Admin\AppData\Local\Temp\TeamsSetup_c_w_.exe
"C:\Users\Admin\AppData\Local\Temp\TeamsSetup_c_w_.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=TeamsSetup_c_w_.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d036c90c280e752348effeb1b5fbc772

SHA1
dc689e68d1a0ac009b1ed3d733e550ed63331595

SHA256
6e75c83826cfde6d643e7b73ea3c39e19a38e56ffad5e037c3c2960d7bf0eec2

SHA512
88d4c0f73b46484d6b971faf19137687d14f89c76379e4ec44f88fe962eea4ca4e93943e13f26512fe0e16de2a1b2805443be5c7da05ce51fb2eac510f11088f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06aab763f0866c190245133df0ec4a6b

SHA1
6128f8566f275fb8fe4cb1c3d44842392d2de0c6

SHA256
b9ea95169522ee9bd0bc14be5d2274c0f0bf3567faf167472a8cfb6aff6a1ecb

SHA512
3bc78bbfe7f4029007c8ec59b24c91fa4d316777cae70925639cc94505559d837f3a173ec11780096ab9999263d0520f3bcc6723916db456e8002422264ac6c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d39a4b4cd7b8463f8beb479283a3d379

SHA1
d3e0bdd0ca96a05152b8290c155a91d47b7ba31a

SHA256
f7603d58d9848649b02dedaadc400b5784be22c0f8e070bac8f7118a29311067

SHA512
1bea65270a9d86cd160b90b54e8678edb85983b90f920cc521f978146f405c86ac7b65f923dfeb318fdc13bb26171775e91b8ddfbff4217a0b6a5bdf9d6aa6e9

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
08a68041ab1f0499cad86b91ded91a99

SHA1
2b177b9ab61874657dab5edc36b52febda8ceab6

SHA256
d90cf72ef827d746dbc0037ff5bc7ecdb44b55c8bc65f4bb28495ca77c09d921

SHA512
f3315324aad32c51c1dc8e5b9ceaf3ddfc8157cafc41d4af12873783e8c3598d65b84cd2149fbf9b494c0047a4ca795f09010067dfe4bc8542ed6d4710f1506c

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
08a68041ab1f0499cad86b91ded91a99

SHA1
2b177b9ab61874657dab5edc36b52febda8ceab6

SHA256
d90cf72ef827d746dbc0037ff5bc7ecdb44b55c8bc65f4bb28495ca77c09d921

SHA512
f3315324aad32c51c1dc8e5b9ceaf3ddfc8157cafc41d4af12873783e8c3598d65b84cd2149fbf9b494c0047a4ca795f09010067dfe4bc8542ed6d4710f1506c

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
80B

MD5
1afcc3a53b2154f10e73bb2e766f4e05

SHA1
feede5eb677d8659ef7824c3d78e32c1c3cdb9c7

SHA256
00d7742ca8257126b875ed941a04fd500111ec0ad557984d825619f09e93972e

SHA512
846ccad1e382f163af2aacfa7f428bc5c0e794bba734207a0875fdd94c3f383c0f7eb6093eeb289f251b84d35bfd0efb1819b9d61b0d1f34daf5b3911748787c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5E0A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5E4B.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
08a68041ab1f0499cad86b91ded91a99

SHA1
2b177b9ab61874657dab5edc36b52febda8ceab6

SHA256
d90cf72ef827d746dbc0037ff5bc7ecdb44b55c8bc65f4bb28495ca77c09d921

SHA512
f3315324aad32c51c1dc8e5b9ceaf3ddfc8157cafc41d4af12873783e8c3598d65b84cd2149fbf9b494c0047a4ca795f09010067dfe4bc8542ed6d4710f1506c

Download Submit
memory/1448-12-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1448-120-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-121-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1448-11-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1448-10-0x0000000001070000-0x00000000012E6000-memory.dmp

Filesize
2.5MB

Download
memory/1448-9-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-555-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-556-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2460-557-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download