Analysis

  • max time kernel
    129s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 01:40

General

  • Target

    $TEMP/TeamViewer/Version4/TeamViewer_.exe

  • Size

    1.4MB

  • MD5

    fef783b93197986c60cd34c9b385bb91

  • SHA1

    9784dabbbb4b2e0b25a00c2ffbdc6bc348813a25

  • SHA256

    1db4fdc98e47ff1e9c2d242d010760425b9997ab75b6fa32848c388f8d41e29a

  • SHA512

    e048882c97f87a10c302ba74d42d8a9e3830d333b95033fca748c0ad93b5c0def54104b986388301a60f44018bdeb1eae4ff0d8415028e4159401a0168e4a72a

  • SSDEEP

    24576:uaTstd4Y2e+WA6KOGGeRY2lrWE/eNZ+8+THJr+PD7RhgqkvjE1zabQgNMlIOtuoZ:VTWQ3OGGeN/KPdhzabQgNMlDtuF52B

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\TeamViewer\Version4\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\TeamViewer\Version4\TeamViewer_.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe
      "C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nst7DD8.tmp\Base64.dll

    Filesize

    456KB

    MD5

    9459a28dbb2752d59eaa8fbb5cf8c982

    SHA1

    4ad7eb230cf6d05df967037225fa19dd385bf7cb

    SHA256

    4688dcd01db816485a770cb8fc047fef9a408f3dbec5a2c83752fee115ce6963

    SHA512

    7dff6414f4215aa4c7a168158b4ac5dd422c7dd35c6af58bce658c6bf9bf5a3545a5ee0db5f5d47a17c7ae53cb54551b98b492137e36c73e684b2041d775cd97

  • C:\Users\Admin\temp\TeamViewer\Version4\SAS.exe

    Filesize

    53KB

    MD5

    bf3bcd752bdabfa1f1e84b7462738103

    SHA1

    34cb8ea7d47467cace271e03b7869f37b0ecb30a

    SHA256

    90fe790e189c384f2ab82958057f91fdf40888c2ed3c0471bd7b85d5b36c7810

    SHA512

    6d5362c4d354319845f4522e0d1132c32a6779efc4c013c8c7bd489fddf39cbb5dfb72b135487b660d156d7774e5be4acc03c3fcecdb6dabcfad12630a3f5955

  • \Users\Admin\AppData\Local\Temp\nst7DD8.tmp\GetVersion.dll

    Filesize

    5KB

    MD5

    c6910d6e78c2e5f9d57d0bc6d8f6b736

    SHA1

    a395099062298b3f3c015359b227ca02a72c6e2c

    SHA256

    b2c32af2b0d75dfd08ae4e1ad7c5897957240b32bf7a16855d6a46512d272b9b

    SHA512

    4cd45b887ce5b7fecfd863cae83817465d7378cc9f5b50f5762d5f209c55a37257d94e91dea4c91c66f2c5bf22cdc1f5545eeef52a090f05cceeedf59bbd2a10

  • \Users\Admin\AppData\Local\Temp\nst7DD8.tmp\System.dll

    Filesize

    10KB

    MD5

    0b96e50e5fd9b241435cfec46600b5a7

    SHA1

    1f79688c6bdd78b4e1812b110fd16d27c59b32d5

    SHA256

    10841d8d0a0fa457a62be63af7e30e72ffaec265470dbe16c0d61cc5b111d1e6

    SHA512

    01a5884ce81a622f81da23c4075aef4cbe68d18471908bb6082ad98bfd002c8a6c2b8069d250df0320cde22ad76eedc14a5d9369b370c2012d58575720da48b7

  • \Users\Admin\temp\TeamViewer\Version4\TV.dll

    Filesize

    64KB

    MD5

    4b030749eef3498b8efbaf2877a59fb5

    SHA1

    70d65a57582fa7145bcf7198e0751e5a3bfffcc5

    SHA256

    ee4f367a4074fa13d15eb17ae9e140d38b249959a29d6e4146c0577df2fed01b

    SHA512

    9a265c06a377bbcaba9b6b0e2752657701fd1fb82613d7ba520e4739108951d0059e1c8d7533a3e94928e5971a9d2fc575d3adc67f4ac768f844c63a5e11e8c7

  • \Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe

    Filesize

    3.4MB

    MD5

    84a8afd4d54164c1e6e9cdf0dcd28eaa

    SHA1

    3943120c742d3adc2060e5d4479ebafd0102cee5

    SHA256

    9ade5287b8a8b0910a01235f8c5be41bf3d19b89e92ca6416bf7827c0dadbd30

    SHA512

    0e0783974c031d5098141a4d5cabf9f74ba60cf73e2e7e8ad8141488700df87538af5a89d6ee30152d04ed04dde0146d290bf87fd4e268f3fa82ee7dfbd035f1

  • memory/2240-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2240-33-0x0000000010000000-0x00000000100A0000-memory.dmp

    Filesize

    640KB

  • memory/2240-50-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB