Overview

overview

7

Static

static

1

TeamViewerQS_x64.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TeamViewerQS_x64.exe

  • Size

    31.0MB

  • MD5

    913740fa42ac5460adc40b51d50539b4

  • SHA1

    4c4dbf2e1b6b0c80e8e98af065e4724717dd304f

  • SHA256

    5b1fd3d03b05c0961381968f118131f14d2134ce03a40be7b704e514407a364c

  • SHA512

    47386438efe44e1d9d1a5ea8d7a8acb7ee806c27454b0fc50dbaeaeef03734968c073f5305fc257cc97914e5dd8f9e290adf1ea25b6a11d7c22856104ab7b4f2

  • SSDEEP

    786432:9vviy5auaza4cXWDTDNIOSKGlPxysiuA1gXRHQ2:plaOW7AzlJlDGY

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TeamViewerQS_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewerQS_x64.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1648
      • C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe
        "C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe" --action hooks --log
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:4368
      • C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe
        "C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe" --action hooks --log
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        PID:4524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_w32.dll
    Filesize

    468KB

    MD5

    062449fa5e124eea0ec23eb8d4d927c1

    SHA1

    65b124b4be55e5d5d0733d7c46d9e4a26d71a095

    SHA256

    472e7f785ad890e55422d91f3ec1fdfe229e4a7c0cbc04bedb1e6665c9ab3982

    SHA512

    0fd278c964955efbec5c9a3d2d7d582c29742f8ae6e3e72fc14f9a2525b210748ab50271bce025fa7cfe15757ccc6eda0aa7a5e63e56117aeba61669f7f6c2f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_w32.exe
    Filesize

    353KB

    MD5

    87cf3aff3fc3599564b447a9d81b74a9

    SHA1

    2c5e961c31ff1e509ce239a5e7a2ed582e8707e3

    SHA256

    7229ee56d8be2dacfdc267012538d211e6a2cbcddeaa7c9657dd35d74a449b1d

    SHA512

    63a95ab310848b4e6271b9c94d05d617a2b3b54ae1fb5c51d4ff4b0c8421b88958f1cb636b2adb3e8beeae787f145ca6d6e9217f6c5a836dc84349983c8067bc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_x64.dll
    Filesize

    597KB

    MD5

    41f78919283ef4b692d167dde7dfc073

    SHA1

    254228d2560525e5b2801af28b8b729162fbd529

    SHA256

    3254a684a77c3a10540fabd1109065b61c4ff42cb9d9704f11fe8f173aede74a

    SHA512

    f05b8285e70f950d1a5b531d5bd51b7544c0ebc4e3922d7be4e6c5286bff3d42c7ec70b22293e9224924a1652c9b2281f172095cebd953307fed7654c8024e29

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_x64.exe
    Filesize

    419KB

    MD5

    ae23d69f901a7a6a49170ca6adc716ca

    SHA1

    b2ae2e2b6227a84ca315a05495ac3941530ad5a9

    SHA256

    c707ca54c0772f2eaac10ee55f593e05cd7052e74f60e042b0f462be6a149f9c

    SHA512

    02fbdb3a07fc9680d54a3cbaacb399c6c6097e265a48925369f0cd1cd11efaae063b702db4650caa07d0c2d1c070230e23f99c0ad9062ae3fd47efebe035f3ed

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_de.dll
    Filesize

    449KB

    MD5

    a8dacb654be0a945a7cab48595a058a9

    SHA1

    a47de44b1a15457088757cd8788576468bda0061

    SHA256

    40050f931b678865504eb04a635ff06b7497aa7abac9bad9143599845df068a3

    SHA512

    d10c9bae0a84d4c792b5d87a04f068963e67c9dbf71784f0d32511813abb92d44c53534b8d969dd25f8fd8ad7c4877bb8136d12eaa38554028d31f613d13517b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_en.dll
    Filesize

    393KB

    MD5

    9dd84cf56d6e873debf915a4cd73f49a

    SHA1

    1ccc5c697ea60cdeea765d88b973ea717a34aef5

    SHA256

    b72e5c3b0e83ae0f84fb4538764714e724ac4d6f8a5aaa0d75d39de017b1d1ee

    SHA512

    594ccfd9429efbcf0638e27b02dc4f91e50ca5b007c3684a9ec3309d8fc1157dfb90ff746de25f2e358668005423b59bd115e3157e6b313509c48c811a223371

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_StaticRes.dll
    Filesize

    8.4MB

    MD5

    d0b7f02e128d6488d1bb2dd8ce7e56d1

    SHA1

    339360c4d5ea378d4d67d23673087048467dd651

    SHA256

    97175b8f06020aeb9e474487fb0ca702074c0349ef670b2a9160170742e5c31b

    SHA512

    d500c276522aeaefd28fb73b56063d90c1b43888171f45d3db14e9a6ac7964f1b0150bc745f897d108632d0bbcc7c1bf560bb15a481fe4350b4bb1db54e7aa96

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini
    Filesize

    46B

    MD5

    0391cd89e17bf7b81e4a637a98ad6cf0

    SHA1

    2b56c9cde5fda0b73bcccbe5ea5b903c82361f4d

    SHA256

    54a256126db2625dbb3a4183cc0102a4463c0471f97c42b7b3b2b52c5575d6ae

    SHA512

    2ec450ff936f847bd9bf3a9ddc66c77762a978c08fcee60955bea9fb1055ba3b769a8f81bbecf88999a77594e48f4ccc0c68702dc73ff7b2d092cafe73bc62b5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nss803E.tmp\System.dll
    Filesize

    23KB

    MD5

    938c37b523d7fc08166e7a5810dd0f8e

    SHA1

    47b9663e5873669211655e0010e322f71b5a94be

    SHA256

    a91aa7c0ead677fc01b1c864e43e0cace110afb072b76ad47f4b3d1563f4dc20

    SHA512

    77afe83fb4e80a775dae0a54a2f0ff9710c135f9f1cf77396bc08a7fe46b016a8c079b4fa612e764eea5d258703f860688e38b443e33b1f980e04831739517c1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nss803E.tmp\TvGetVersion.dll
    Filesize

    696KB

    MD5

    41c3a6594060581d3bf1a16ed4ae6a72

    SHA1

    62bdf8c2a3fa5f70e8b25e83c946debf80c8fd47

    SHA256

    e35396c7d7e32a8fe771895ed9ea16bd85c8544410bf4dc70a42ccd2884cfd83

    SHA512

    3fee7ea74b4173b2815d631c8e69f5a21f2a170a46ce60424f9b9fb03cf7a35eab6933210497f851816a1a85eb3fdb682781ccb5e2607b7ade6dbc7a098368bd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nss803E.tmp\nsis7z.dll
    Filesize

    187KB

    MD5

    7fe20cee9277556f4ef137e61d29d9f5

    SHA1

    d53c37dbf548914ed20c8ebb21186a95beef1ee3

    SHA256

    5d71aaeefbc81732017e9040c8087e6686a16dd54e6d9bcd5ba7a47af68cc925

    SHA512

    a90250214c6c5048b098e031fca5a8097854a8667330551d7694740e3bc83f7d77791d314e3ac75617ef1834b75c41e3e3d3c74da9794a207894c13fb2d4bef7

    Download Submit
  • memory/2652-23-0x0000000006A00000-0x0000000006A32000-memory.dmp
    Filesize

    200KB

    Download