2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe
Size

37.2MB
MD5

433c402f3e69138156c2414e5bce8e7e
SHA1

2ebed0a3c1ca7e3b2afa8d4237c9fbdab7932317
SHA256

2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192
SHA512

0d7fd487d2ad6ce6276116ebba0aff2c8d0d5e48508bfe498b0ca05bf75db055e71365b044538eac986a7135c141a16928b16bf17348b4bfc05435d4df4afcd0
SSDEEP

393216:/h2pRAr7xamF+OBSUephoHbgdNUvjlXNh4uXzv0mCL/HLCNhlvvy3FLs4XisisYq:kK7Ygsh2bVvjb7vq+NC3FLDiixD

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2324	TeamViewer_.exe

Loads dropped DLL 16 IoCs

pid	Process
2340	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe
2340	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe
2324	TeamViewer_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2324	TeamViewer_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2324	2340	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	28
PID 2340 wrote to memory of 2324	2340	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	28
PID 2340 wrote to memory of 2324	2340	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	28
PID 2340 wrote to memory of 2324	2340	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	28
PID 2340 wrote to memory of 2324	2340	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	28
PID 2340 wrote to memory of 2324	2340	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	28
PID 2340 wrote to memory of 2324	2340	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	28

C:\Users\Admin\AppData\Local\Temp\2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe
"C:\Users\Admin\AppData\Local\Temp\2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
  "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
4.2MB

MD5
a12ac68e0a3568ce1b5cabd378a12ad5

SHA1
641c0fa55901db477df1bc1786367061683ec5db

SHA256
85234090c7e4a462b75b2b857dc0f0b06177e1a077ce4bc1ba9eed300402a5ba

SHA512
4663c3f90f89f2f285bdec812cb65a37ea3823012c5b28bd3544142e32ca99fe42ed22a96ee9a18fee721c25b738497fd13770ab57212746c8006e2715b92cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
4.6MB

MD5
7053ef96b89c6fee222e0f5680c2896b

SHA1
62645264359579d00d2bed1a01384c1dd7cfe876

SHA256
c2c645b61e72a3a0a1d0f2af40a09c3ccecaa7b676e69df838050170f97f5362

SHA512
5e55740405fbd8527a7fa17db0beddb08fb582166bbc97bfe9677659614e3a4fc020d75f15ee8b9ee8c05a6ec40fab349a62e2370c81437df737e16c91798632

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
94B

MD5
873736e6563df85079ed1b7377b7d73a

SHA1
e16ce2efe3f0ad453171953ffbe73923b431dc92

SHA256
9e80ddeebaa4d040b91d6a2799852bdd0efb8310e1f2170f0797a873f506c4ed

SHA512
147a213283919f1c48c6be564b583fad976eef72adf2cffebfb5d147f5909bfee6a7836701b5e83351b618ca0c26312dcfe46309f428baf7a7495410d085bca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2B37.tmp\TvGetVersion.dll

Filesize
222KB

MD5
b9e0c430596b2435971079edd15d3f0c

SHA1
fc214c6757e3539729e42f754c6b9768fd44a942

SHA256
c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e

SHA512
93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2B37.tmp\advanced_unicode.ini

Filesize
1KB

MD5
f68824a4130ebaf6bc7ab0f62256d7d7

SHA1
40af19a0d92b3c9e1a8b1eaab7d12c69e5df436a

SHA256
cd8149a2e89373075ee6db800b7f2496bacbfe21b23e4a06a3453632503b3965

SHA512
6a173aaa183be0e5a516cad484802dae1fc53a414f870f93ea846a9ef9f9df35153766ef632eb5e8ced8f94c2ed09a9decdf3465d46b0dcc44a6918d88e242cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2B37.tmp\start_unicode.ini

Filesize
2KB

MD5
40148a227f0d7e57dcee0a67527805a9

SHA1
d27cd4e278318bee8cf43ee7f0791d0a6406b721

SHA256
62c574dfcb2f04e86ac4d9432cc08fc925043f4ce1c77f6aa8b22a40a191a20a

SHA512
c0cc5fa79380904736cd44fb4b4e9de92d8b32372d622912d0e41a849f56b1578ca5760013296989a00d3bc3cfc9271d94b9f38f5e54d418900801af4230e725

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd2B37.tmp\start_unicode.ini

Filesize
2KB

MD5
c6c47f9975ca78fdead07b4ca268808f

SHA1
b6c37a88202b80cdb3b3f7aaa8f44d599f813449

SHA256
9d04596428c9db94c5a8d2fbdf4fc6711ca103d3240d56511da10977482774d0

SHA512
aeec4d3d1aee5f05018eef2cfd6ee76d99843906786ad8401850bc67d730b20eada43c995f91dc4b10822ee9c8d018b6dea7f62bc5926072358e1a539d8a0cce

Download Submit
\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
4.2MB

MD5
aab95b306fb640addc2e9f3a5400769d

SHA1
5278db48517df35c4bdb65d71229812ce8ab536e

SHA256
d3345441eacb64dbaaf1782b48fff6b6cb525134ce7a4bffd558ae184b09fbc0

SHA512
65f51549304bbc32e18c5f3fd0516cb4ea145e3361a6078a96bc3e137655eb7d5820b19c533dc7d495bdcbcb597924ea965a4abefc8d891a166cb54cff973216

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2914.tmp\TvGetVersion.dll

Filesize
203KB

MD5
465ad8b483c5e8bbfee17aa15ea3b488

SHA1
ad984431df286cd6c10796b49c248e6afb4d55bf

SHA256
943149b2cf028bbe593375e255ed834c129f97ed2dab9c3779d871446dc177df

SHA512
8c137cff4aeeee2556233a07d7df9c183c38a36c40d904a89f22d73cc13b3941d71708da89dfe908f335f6c39e4c70b376dd437924e15ac697876f612bdf01d6

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2B37.tmp\InstallOptions.dll

Filesize
15KB

MD5
033ee34c40e8fa85bf2739bcb2f3e186

SHA1
2ca942f35f77f37df3fc6097acac34f2e77341b7

SHA256
c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7

SHA512
2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2B37.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2B37.tmp\UserInfo.dll

Filesize
4KB

MD5
9b0db6a6056e8e51ac35e602aeab769f

SHA1
b541c6d2635141cdc3a74f59d55db8df4a92e7ac

SHA256
925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c

SHA512
83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2B37.tmp\linker.dll

Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
memory/2324-270-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download