139dfc982c364514d76ed2542923f646d95a5ef3fc11bafea76cd4baa645174c

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$_0_/TeamViewer_.exe
Size

2.7MB
MD5

49db2873ae4d4af304d412a8427058bb
SHA1

827a89c3e65c378bb763268533b65c4ecacd611f
SHA256

2b51b6d51577a89d12a5e173bfa00f1991c04e65c024d55f938287cb652d9244
SHA512

9961141385cf8f4800b1949bb231de229fd4f1ade868537aae0b4558c3f3cfeb429ddf02439eaad3778d75147aae264e0e1afff0d855fa9643e77ce12131ce06
SSDEEP

49152:/tA2eEwrpK5Kh7v9XFEYtVzAN+5jvURCndyWLhdndhDtr7It6FfTYi5iARVVpwR3:/tveFpvh7v9V/tVcN+5ZhVdhpr7LF7Ve

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	TeamViewer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	TeamViewer_.exe

Executes dropped EXE 1 IoCs

pid	Process
3704	TeamViewer.exe

Loads dropped DLL 9 IoCs

pid	Process
4632	TeamViewer_.exe
4632	TeamViewer_.exe
4632	TeamViewer_.exe
4632	TeamViewer_.exe
3704	TeamViewer.exe
3704	TeamViewer.exe
3704	TeamViewer.exe
3704	TeamViewer.exe
3704	TeamViewer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/memory/4632-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral6/memory/4632-44-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	TeamViewer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	TeamViewer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3704	TeamViewer.exe
3704	TeamViewer.exe
3704	TeamViewer.exe
3704	TeamViewer.exe
3704	TeamViewer.exe
3704	TeamViewer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	TeamViewer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 3704	4632	TeamViewer_.exe	87
PID 4632 wrote to memory of 3704	4632	TeamViewer_.exe	87
PID 4632 wrote to memory of 3704	4632	TeamViewer_.exe	87

C:\Users\Admin\AppData\Local\Temp\$_0_\TeamViewer_.exe
"C:\Users\Admin\AppData\Local\Temp\$_0_\TeamViewer_.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\$_0_\TeamViewer.exe
  "C:\Users\Admin\AppData\Local\Temp\$_0_\TeamViewer.exe" --qsc --pw ""
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$_0_\TeamViewer.exe

Filesize
5.6MB

MD5
aed1f11d28b3a147e3b4ebaa6d283fe4

SHA1
02034b927d9cb87f477e5c156e229a68f63b11ee

SHA256
19c65c053b87ff64d18668485cd3352fa418f027d6c93e06b8881daefd8e26c8

SHA512
585598992848161b041d4bdb5bedc263bbdfed61a1e4331f0934dfdf5a03deb55264a4128291301eb3adf302f69fc7cea869e06bb7e061af07a007e8026c2bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$_0_\TeamViewer.ini

Filesize
508B

MD5
89a5c8338a9ad1358ef3c539e600bfd0

SHA1
e24c6d744996492debac707e76881352c4533c6e

SHA256
692b9b188d84018ee4064419af532231902e3575fb1933b1e05b86dbef4ba8eb

SHA512
421d6d75a83ef405bd0d49638bf8b08c216f312908218c7fd8cf4cbdbdecac7b9da9fd05455327c02bbcc8aa55d53fba07a1d5b7c67f23cfc5c01f2a8bef1d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\$_0_\TeamViewer_Resource_en.dll

Filesize
597KB

MD5
42541dce7ce993b804380b2662817d90

SHA1
efaa8ec539173fc9dc6a2aa07503b89cac8999de

SHA256
2a63bec3c347b854e105eaa43e2da440e0c3976c123522090bbcfdc38947ed1b

SHA512
85b8199ce01202b8dd58d36725f1398c03f8a54e17dd0b9c2e70eb0b02b6f03837bd8041a5890f47e2fb501e70a90ea078d36bb351c2f1984256ef41a0046f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$_0_\logo.bmp

Filesize
55KB

MD5
a20d31c11ffb94e3af213388311b30b0

SHA1
511d3688442db675a37d949666b88a81758dde8f

SHA256
d069d95c23aa3e8793d2f8352844aba8dee6ac851d37ba82f8b164f7e66d2eb1

SHA512
8ce273c50e9281fd57bd7be32e2e32c475a03dc7134c258289dd68255fb4893bc4fd25fbcacdb07f6810ce0d125375aeca4e73d5b425ad2ee39d29d4f896231f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$_0_\tv.dll

Filesize
117KB

MD5
d48725f2cf6ddd7143cd2831640c8ec2

SHA1
1d2d4cfe979fca32722ed9e4f71fc07a5c344236

SHA256
03e3c1c00715a0efcef26c036bcf230dfe5ebf29aad72912fd150b2e66e5c274

SHA512
7621d3d72121c80edb0719f1dd67e0efe6c86f65c1405ee40220fcc48efe32e4b9270860e49ab84d75734061d23ad9ae8e607be09659461ca8f3647b68e4a2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD498.tmp\Base64.dll

Filesize
456KB

MD5
9459a28dbb2752d59eaa8fbb5cf8c982

SHA1
4ad7eb230cf6d05df967037225fa19dd385bf7cb

SHA256
4688dcd01db816485a770cb8fc047fef9a408f3dbec5a2c83752fee115ce6963

SHA512
7dff6414f4215aa4c7a168158b4ac5dd422c7dd35c6af58bce658c6bf9bf5a3545a5ee0db5f5d47a17c7ae53cb54551b98b492137e36c73e684b2041d775cd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgD498.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
memory/3704-48-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/3704-55-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4632-22-0x0000000006880000-0x0000000006920000-memory.dmp

Filesize
640KB

Download
memory/4632-27-0x0000000006880000-0x0000000006920000-memory.dmp

Filesize
640KB

Download
memory/4632-26-0x0000000006880000-0x0000000006920000-memory.dmp

Filesize
640KB

Download
memory/4632-44-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4632-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download