2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe
Size

37.2MB
MD5

433c402f3e69138156c2414e5bce8e7e
SHA1

2ebed0a3c1ca7e3b2afa8d4237c9fbdab7932317
SHA256

2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192
SHA512

0d7fd487d2ad6ce6276116ebba0aff2c8d0d5e48508bfe498b0ca05bf75db055e71365b044538eac986a7135c141a16928b16bf17348b4bfc05435d4df4afcd0
SSDEEP

393216:/h2pRAr7xamF+OBSUephoHbgdNUvjlXNh4uXzv0mCL/HLCNhlvvy3FLs4XisisYq:kK7Ygsh2bVvjb7vq+NC3FLDiixD

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3800	TeamViewer_.exe

Loads dropped DLL 23 IoCs

pid	Process
1720	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe
3800	TeamViewer_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3800	1720	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	92
PID 1720 wrote to memory of 3800	1720	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	92
PID 1720 wrote to memory of 3800	1720	2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe	92

C:\Users\Admin\AppData\Local\Temp\2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe
"C:\Users\Admin\AppData\Local\Temp\2ff2ba5b37acf3f129832c9f1ceacc6c6148ed71726bc4e262d829ee80430192.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
  "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
4.2MB

MD5
6c071821447d198efc42db922f0608ac

SHA1
f2c8ba56cf21a7dd94064df4faaf7aa589ec1f1b

SHA256
ea8aec91bf4ed0fb028767a00704561f8953985c357e832fdf83c94d11f8c67b

SHA512
a429c03a80a9e6a3574f0d074834c4635eb8260ccfeb611c9d8d9a4cbbfdd77dbcc756ff42c8b91e5ee90d1006d2061ac04ff45e3837ecc17ccabd8fa021edfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
5.4MB

MD5
affbabf56d040ed9729a5d76a10d569d

SHA1
297e1f36d566d3800839959efd5bed630c95f15b

SHA256
ccd3f89a0620764a2c8caa1b56e07d488cc73d7473a70ac8314d037cca815692

SHA512
e45333041a525ee778d1ce9afd232a052cfd88b6254f44254e07df67c4084d78aa2452df4545bc86ddbbd446a46b17505e83b79a573f45fe2b3dc1b6ac457067

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
94B

MD5
873736e6563df85079ed1b7377b7d73a

SHA1
e16ce2efe3f0ad453171953ffbe73923b431dc92

SHA256
9e80ddeebaa4d040b91d6a2799852bdd0efb8310e1f2170f0797a873f506c4ed

SHA512
147a213283919f1c48c6be564b583fad976eef72adf2cffebfb5d147f5909bfee6a7836701b5e83351b618ca0c26312dcfe46309f428baf7a7495410d085bca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4315.tmp\TvGetVersion.dll

Filesize
203KB

MD5
465ad8b483c5e8bbfee17aa15ea3b488

SHA1
ad984431df286cd6c10796b49c248e6afb4d55bf

SHA256
943149b2cf028bbe593375e255ed834c129f97ed2dab9c3779d871446dc177df

SHA512
8c137cff4aeeee2556233a07d7df9c183c38a36c40d904a89f22d73cc13b3941d71708da89dfe908f335f6c39e4c70b376dd437924e15ac697876f612bdf01d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4558.tmp\InstallOptions.dll

Filesize
15KB

MD5
033ee34c40e8fa85bf2739bcb2f3e186

SHA1
2ca942f35f77f37df3fc6097acac34f2e77341b7

SHA256
c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7

SHA512
2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4558.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4558.tmp\TvGetVersion.dll

Filesize
222KB

MD5
b9e0c430596b2435971079edd15d3f0c

SHA1
fc214c6757e3539729e42f754c6b9768fd44a942

SHA256
c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e

SHA512
93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4558.tmp\UserInfo.dll

Filesize
4KB

MD5
9b0db6a6056e8e51ac35e602aeab769f

SHA1
b541c6d2635141cdc3a74f59d55db8df4a92e7ac

SHA256
925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c

SHA512
83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4558.tmp\linker.dll

Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4558.tmp\start_unicode.ini

Filesize
2KB

MD5
bddaa786ecd0be186e4648f26c78c1e3

SHA1
a08e22358079799845bd28e6e9d59364eec504af

SHA256
feb09fb9d581bca2713ff3fe098d3396c579d09e4234140ff852bdb482f73d97

SHA512
d66bc2f35846e2485d27bb1a2034a053826097105272b13670cdd0037dc44e6bf3787fcc023a2a2425f81c9330d4b892656c601552403ab5258778c4d824da25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4558.tmp\start_unicode.ini

Filesize
2KB

MD5
88daabd46b72ed63d05fe4b0669d6571

SHA1
20a3e6f652d515f1bc13bc8adba5790b0557d7e0

SHA256
2c8cb464a7f59ab93ac37b12aadcd38e7944274e6dcd02ad0d89d2368d220973

SHA512
8cc4df6c266759cc5e4bd3113884538e80220b8a3d64036202bfdc2330ac049ceb0b848d9c952de0936ffd60ea21cb5921c7bb1c07b8b8dbefbf5b6acbcc1176

Download Submit
memory/3800-268-0x0000000006E30000-0x0000000006E3E000-memory.dmp

Filesize
56KB

Download