netsupport | 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Teams.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Teams.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
3252	client32.exe
3292	MSTeamsSetup_c_l_.exe
4292	Update.exe
1096	Squirrel.exe
4988	Teams.exe
228	Teams.exe
3036	Teams.exe
3992	Teams.exe
6104	Teams.exe
1628	Teams.exe

Loads dropped DLL 34 IoCs

pid	Process
3252	client32.exe
3252	client32.exe
3252	client32.exe
3252	client32.exe
3252	client32.exe
4988	Teams.exe
4988	Teams.exe
4988	Teams.exe
4988	Teams.exe
228	Teams.exe
228	Teams.exe
228	Teams.exe
228	Teams.exe
228	Teams.exe
3036	Teams.exe
3992	Teams.exe
5724	regsvr32.exe
3992	Teams.exe
5768	regsvr32.exe
5768	regsvr32.exe
5768	regsvr32.exe
5768	regsvr32.exe
5768	regsvr32.exe
3992	Teams.exe
3992	Teams.exe
5804	regsvr32.exe
5804	regsvr32.exe
5804	regsvr32.exe
6104	Teams.exe
6104	Teams.exe
6104	Teams.exe
6104	Teams.exe
6104	Teams.exe
1628	Teams.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Teams.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Teams.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Teams.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Teams.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{F7EE956B-A713-48D3-AFEF-0A28F37740B3}	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{E0E8B413-BB57-4B58-B1FB-288F3A269E35}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{3C8210C8-8578-47C6-87A9-FA1AD2BA9873}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{CE16D540-B9E8-4742-8659-9A7A318AFB92}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{420A24E2-5C31-4262-9BD5-058682300ED6}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{C22CE6BF-3A47-46B7-8544-44305BADFEF9}\ = "_IConferenceSchedulerCallback"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{4EE0CE21-96D6-461F-8D44-EAC961468E50}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{AA186C92-181E-417F-B150-FCA0F367E0FC}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{F4BEB62B-8A4E-4212-9030-B1B115E4C2F1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{65B71572-5338-43C8-9E4C-F1DFC6711AD1}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{DAA5FDE3-A81C-4F23-80B6-C47B52C649BF}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{87665417-C861-4E1D-ACE8-3F566EE986A2}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{4875C050-BA9C-4A05-891E-E7B0A9463664}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{BE026CD2-7E82-4F7C-8762-F6B02F496174}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{9244D573-914F-4C1F-93F6-31609A95CBED}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{84340964-7820-4EBC-BCD3-702926DE23E8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{DBA05C15-1C07-4A76-8248-08D8416A24E3}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{92D7E7A8-48D8-4166-8911-630AE02B2B93}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{4BACB4B8-1236-42B8-BDA1-D1533148780D}\ = "_IPreviousConversationsManagerCallback"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{744BAB86-B15F-4BD5-B7DD-476B0CE0162A}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{A58F54D2-9786-4309-964D-96549AEC7611}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{984BA6A3-6931-4AD1-9F62-31C18EECC02E}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{0BDB9057-28AE-4BF0-AFF0-12A148E51637}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{6A7FF112-42CE-4D03-8922-D02AC6C5759F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{3CD1DB65-D85B-4912-8536-6BD8E19F1738}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{6B551C9E-DE81-41DF-A0AE-39F0AF11D508}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{9B3A702D-5BE1-4FCE-ADB3-EBBD23E078C3}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{AA186C92-181E-417F-B150-FCA0F367E0FC}\ = "_IFrequentContactsEvents"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{32430741-330B-48DF-96F6-0CFE00484D40}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{08DDF5C4-FA12-4978-B26E-C6D23C453413}\ = "_IDeviceManagerCallback"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{628D7BDD-45AB-404D-8505-B3ADC15F454D}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{1566FA3C-FD24-41DB-A2B8-6232F89783DE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{B28F2007-3926-49CF-9101-4CCB9574049B}\ = "IPreferredCapabilitiesChangedEventData"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{C12F0DE5-9A7D-425C-B391-8BE004EAA2F6}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{EF5C00E4-75E2-4D39-B358-0ED9CB14F3CB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{DD181E97-EEE0-4D65-BAD1-16866D0C7953}\ProxyStubClsid32	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{C22CE6BF-3A47-46B7-8544-44305BADFEF9}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{F719ED75-B7BD-45D3-9097-254509226F20}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{C79E4169-535F-4A41-8DE2-C65A90D9503D}\ = "IModalityStateChangePropertyDictionary"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{BE026CD2-7E82-4F7C-8762-F6B02F496174}\TypeLib	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{081793DA-7221-45C3-8AFA-3A2E6E464670}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{D46E9D77-3356-4823-8072-9595D54D335C}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{12480BD4-072F-4763-B9FB-41B2CA54F9CD}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{3690D374-3779-4EFC-B8E8-20642C01529A}\ = "ISharingResource"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{8684D3AD-7061-4056-A894-EBF1270ADB9B}	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{1F8EBE6F-7993-42CE-980A-A2F03793BE71}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{25A47938-5C31-4F43-9108-DA01EE5869C0}\TypeLib\ = "{B9AA1F11-F480-4054-A84E-B5D9277E40A8}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{DF414A68-5051-4465-AAE2-4F301315734E}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{0678C83E-F580-4D99-902F-930699B28BE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{61CE9972-C619-4A88-A5D1-D2DFBCD4D2A1}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{50D86EE2-288F-44F5-8144-69F6E3B24B90}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{70DCCE38-90BF-4428-A34F-3A6082F29E50}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{BC9F5F40-D315-40C1-B1C6-CEA0646E18E2}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{55A21CF3-A2B3-484E-BE2A-14280F501289}\ = "IVideoView"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\Interface\{18BA13C7-A64E-4301-BA51-D1BFB3C1C9D5}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{4E8DC7E0-04B8-470B-BDFA-F520099B975F}\ProxyStubClsid32	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{DC4BC923-6A52-4F02-9F8A-547B606955E7}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{9274DBDC-43CE-45AA-A817-414A4494AD28}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{4B3A2412-C149-4E52-A713-6CEBCF47503E}\TypeLib\Version = "1.0"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{8AFFB8CE-5404-4280-BCA3-E2E4388E6D73}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{8AFFB8CE-5404-4280-BCA3-E2E4388E6D73}\TypeLib\Version = "1.0"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{AB2D1A67-2B3D-4E25-B21C-03F4BFC4C2BE}\TypeLib	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{7BF20B14-58D1-494B-B301-9B16BACC9610}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Update.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Interface\{1B889699-5867-4D32-9C9C-5B7AE21B9838}	Update.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Teams.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Teams.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Teams.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4484	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3252	client32.exe
Token: SeDebugPrivilege	4292	Update.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	4988	Teams.exe
Token: SeCreatePagefilePrivilege	4988	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe
Token: SeShutdownPrivilege	3992	Teams.exe
Token: SeCreatePagefilePrivilege	3992	Teams.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3252	client32.exe
4292	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 4484	2456	Setup.exe	81
PID 2456 wrote to memory of 4484	2456	Setup.exe	81
PID 2456 wrote to memory of 4484	2456	Setup.exe	81
PID 2456 wrote to memory of 3252	2456	Setup.exe	82
PID 2456 wrote to memory of 3252	2456	Setup.exe	82
PID 2456 wrote to memory of 3252	2456	Setup.exe	82
PID 2456 wrote to memory of 3292	2456	Setup.exe	87
PID 2456 wrote to memory of 3292	2456	Setup.exe	87
PID 2456 wrote to memory of 3292	2456	Setup.exe	87
PID 3292 wrote to memory of 4292	3292	MSTeamsSetup_c_l_.exe	88
PID 3292 wrote to memory of 4292	3292	MSTeamsSetup_c_l_.exe	88
PID 3292 wrote to memory of 4292	3292	MSTeamsSetup_c_l_.exe	88
PID 4292 wrote to memory of 1096	4292	Update.exe	93
PID 4292 wrote to memory of 1096	4292	Update.exe	93
PID 4292 wrote to memory of 1096	4292	Update.exe	93
PID 4292 wrote to memory of 4988	4292	Update.exe	94
PID 4292 wrote to memory of 4988	4292	Update.exe	94
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 228	4988	Teams.exe	95
PID 4988 wrote to memory of 3036	4988	Teams.exe	97
PID 4988 wrote to memory of 3036	4988	Teams.exe	97
PID 4292 wrote to memory of 3992	4292	Update.exe	99
PID 4292 wrote to memory of 3992	4292	Update.exe	99
PID 4292 wrote to memory of 5724	4292	Update.exe	100

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "CSCOClient" /tr "C:\Users\Admin\AppData\Roaming\CSCOClient\client32.exe" /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4484
- C:\Users\Admin\AppData\Roaming\CSCOClient\client32.exe
  C:\Users\Admin\AppData\Roaming\CSCOClient\client32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3252
- C:\ProgramData\MSTeamsSetup_c_l_.exe
  C:\ProgramData\MSTeamsSetup_c_l_.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup_c_l_.exe --bootstrapperMode
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      4⤵
      Executes dropped EXE
      PID:1096
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.7.00.15969
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Checks processor information in registry
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1956,i,7563865697644722354,2692050516479268284,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:228
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2160 --field-trial-handle=1956,i,7563865697644722354,2692050516479268284,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3036
  - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrun
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3992
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1928,i,5559427595209224744,10261431718816420082,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6104
    - - C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2124 --field-trial-handle=1928,i,5559427595209224744,10261431718816420082,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1628
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"
      4⤵
      Loads dropped DLL
      PID:5724
    - - C:\Windows\system32\regsvr32.exe
        
        /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:5768
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:user "C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dll"
      4⤵
      Loads dropped DLL
      PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

System Information Discovery