606d6e9e34c9c82b4d2019ae6426316eadf3353f821cb7ec06a6b592f1ab7830

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeamViewerscreen.exe
Size

2.8MB
MD5

18ff7f8dee99d242971dcad182e64f9e
SHA1

ab3a2dd1a44e8be77652f4e476c2bd1e70c8d7e5
SHA256

606d6e9e34c9c82b4d2019ae6426316eadf3353f821cb7ec06a6b592f1ab7830
SHA512

e70e036664d1e602084066500999d69d9b9b8361d9b4491ed7ab3aea382e7a1ce1ac96bd9003277a5c38ec322a7df16615d9652cb8917ffd762ae1e5e1a55ff4
SSDEEP

49152:Sa+ndxQDnQwl921sZl38q1K/8OKZLQ3ygxTBsF0:Sa+kDQwU3KRQZzs

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
4136	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3268	WMIC.exe
Token: SeSecurityPrivilege	3268	WMIC.exe
Token: SeTakeOwnershipPrivilege	3268	WMIC.exe
Token: SeLoadDriverPrivilege	3268	WMIC.exe
Token: SeSystemProfilePrivilege	3268	WMIC.exe
Token: SeSystemtimePrivilege	3268	WMIC.exe
Token: SeProfSingleProcessPrivilege	3268	WMIC.exe
Token: SeIncBasePriorityPrivilege	3268	WMIC.exe
Token: SeCreatePagefilePrivilege	3268	WMIC.exe
Token: SeBackupPrivilege	3268	WMIC.exe
Token: SeRestorePrivilege	3268	WMIC.exe
Token: SeShutdownPrivilege	3268	WMIC.exe
Token: SeDebugPrivilege	3268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3268	WMIC.exe
Token: SeRemoteShutdownPrivilege	3268	WMIC.exe
Token: SeUndockPrivilege	3268	WMIC.exe
Token: SeManageVolumePrivilege	3268	WMIC.exe
Token: 33	3268	WMIC.exe
Token: 34	3268	WMIC.exe
Token: 35	3268	WMIC.exe
Token: 36	3268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3268	WMIC.exe
Token: SeSecurityPrivilege	3268	WMIC.exe
Token: SeTakeOwnershipPrivilege	3268	WMIC.exe
Token: SeLoadDriverPrivilege	3268	WMIC.exe
Token: SeSystemProfilePrivilege	3268	WMIC.exe
Token: SeSystemtimePrivilege	3268	WMIC.exe
Token: SeProfSingleProcessPrivilege	3268	WMIC.exe
Token: SeIncBasePriorityPrivilege	3268	WMIC.exe
Token: SeCreatePagefilePrivilege	3268	WMIC.exe
Token: SeBackupPrivilege	3268	WMIC.exe
Token: SeRestorePrivilege	3268	WMIC.exe
Token: SeShutdownPrivilege	3268	WMIC.exe
Token: SeDebugPrivilege	3268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3268	WMIC.exe
Token: SeRemoteShutdownPrivilege	3268	WMIC.exe
Token: SeUndockPrivilege	3268	WMIC.exe
Token: SeManageVolumePrivilege	3268	WMIC.exe
Token: 33	3268	WMIC.exe
Token: 34	3268	WMIC.exe
Token: 35	3268	WMIC.exe
Token: 36	3268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe
Token: 35	2804	WMIC.exe
Token: 36	2804	WMIC.exe
Token: SeDebugPrivilege	4136	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2024	5084	TeamViewerscreen.exe	85
PID 5084 wrote to memory of 2024	5084	TeamViewerscreen.exe	85
PID 5084 wrote to memory of 2024	5084	TeamViewerscreen.exe	85
PID 2024 wrote to memory of 3268	2024	cmd.exe	87
PID 2024 wrote to memory of 3268	2024	cmd.exe	87
PID 2024 wrote to memory of 3268	2024	cmd.exe	87
PID 2024 wrote to memory of 2284	2024	cmd.exe	88
PID 2024 wrote to memory of 2284	2024	cmd.exe	88
PID 2024 wrote to memory of 2284	2024	cmd.exe	88
PID 5084 wrote to memory of 4136	5084	TeamViewerscreen.exe	91
PID 5084 wrote to memory of 4136	5084	TeamViewerscreen.exe	91
PID 5084 wrote to memory of 4136	5084	TeamViewerscreen.exe	91
PID 5084 wrote to memory of 2348	5084	TeamViewerscreen.exe	92
PID 5084 wrote to memory of 2348	5084	TeamViewerscreen.exe	92
PID 5084 wrote to memory of 2348	5084	TeamViewerscreen.exe	92
PID 2348 wrote to memory of 2804	2348	cmd.exe	93
PID 2348 wrote to memory of 2804	2348	cmd.exe	93
PID 2348 wrote to memory of 2804	2348	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\TeamViewerscreen.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewerscreen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic process get executablepath | findstr TeamViewer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process get executablepath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- - C:\Windows\SysWOW64\findstr.exe
    findstr TeamViewer.exe
    3⤵
    PID:2284
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im TeamViewer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "wmic process call create \"\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic process call create \"\"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads