Overview

overview

7

Static

static

1

TeamViewerQS_x64.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-07-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TeamViewerQS_x64.exe

  • Size

    31.0MB

  • MD5

    913740fa42ac5460adc40b51d50539b4

  • SHA1

    4c4dbf2e1b6b0c80e8e98af065e4724717dd304f

  • SHA256

    5b1fd3d03b05c0961381968f118131f14d2134ce03a40be7b704e514407a364c

  • SHA512

    47386438efe44e1d9d1a5ea8d7a8acb7ee806c27454b0fc50dbaeaeef03734968c073f5305fc257cc97914e5dd8f9e290adf1ea25b6a11d7c22856104ab7b4f2

  • SSDEEP

    786432:9vviy5auaza4cXWDTDNIOSKGlPxysiuA1gXRHQ2:plaOW7AzlJlDGY

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TeamViewerQS_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewerQS_x64.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3812
      • C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe
        "C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe" --action hooks --log
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:4028
      • C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe
        "C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe" --action hooks --log
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        PID:4184
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:4164

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_w32.dll
      Filesize

      468KB

      MD5

      062449fa5e124eea0ec23eb8d4d927c1

      SHA1

      65b124b4be55e5d5d0733d7c46d9e4a26d71a095

      SHA256

      472e7f785ad890e55422d91f3ec1fdfe229e4a7c0cbc04bedb1e6665c9ab3982

      SHA512

      0fd278c964955efbec5c9a3d2d7d582c29742f8ae6e3e72fc14f9a2525b210748ab50271bce025fa7cfe15757ccc6eda0aa7a5e63e56117aeba61669f7f6c2f2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_w32.exe
      Filesize

      353KB

      MD5

      87cf3aff3fc3599564b447a9d81b74a9

      SHA1

      2c5e961c31ff1e509ce239a5e7a2ed582e8707e3

      SHA256

      7229ee56d8be2dacfdc267012538d211e6a2cbcddeaa7c9657dd35d74a449b1d

      SHA512

      63a95ab310848b4e6271b9c94d05d617a2b3b54ae1fb5c51d4ff4b0c8421b88958f1cb636b2adb3e8beeae787f145ca6d6e9217f6c5a836dc84349983c8067bc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_x64.dll
      Filesize

      597KB

      MD5

      41f78919283ef4b692d167dde7dfc073

      SHA1

      254228d2560525e5b2801af28b8b729162fbd529

      SHA256

      3254a684a77c3a10540fabd1109065b61c4ff42cb9d9704f11fe8f173aede74a

      SHA512

      f05b8285e70f950d1a5b531d5bd51b7544c0ebc4e3922d7be4e6c5286bff3d42c7ec70b22293e9224924a1652c9b2281f172095cebd953307fed7654c8024e29

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_x64.exe
      Filesize

      419KB

      MD5

      ae23d69f901a7a6a49170ca6adc716ca

      SHA1

      b2ae2e2b6227a84ca315a05495ac3941530ad5a9

      SHA256

      c707ca54c0772f2eaac10ee55f593e05cd7052e74f60e042b0f462be6a149f9c

      SHA512

      02fbdb3a07fc9680d54a3cbaacb399c6c6097e265a48925369f0cd1cd11efaae063b702db4650caa07d0c2d1c070230e23f99c0ad9062ae3fd47efebe035f3ed

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_de.dll
      Filesize

      449KB

      MD5

      a8dacb654be0a945a7cab48595a058a9

      SHA1

      a47de44b1a15457088757cd8788576468bda0061

      SHA256

      40050f931b678865504eb04a635ff06b7497aa7abac9bad9143599845df068a3

      SHA512

      d10c9bae0a84d4c792b5d87a04f068963e67c9dbf71784f0d32511813abb92d44c53534b8d969dd25f8fd8ad7c4877bb8136d12eaa38554028d31f613d13517b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_en.dll
      Filesize

      393KB

      MD5

      9dd84cf56d6e873debf915a4cd73f49a

      SHA1

      1ccc5c697ea60cdeea765d88b973ea717a34aef5

      SHA256

      b72e5c3b0e83ae0f84fb4538764714e724ac4d6f8a5aaa0d75d39de017b1d1ee

      SHA512

      594ccfd9429efbcf0638e27b02dc4f91e50ca5b007c3684a9ec3309d8fc1157dfb90ff746de25f2e358668005423b59bd115e3157e6b313509c48c811a223371

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_StaticRes.dll
      Filesize

      8.4MB

      MD5

      d0b7f02e128d6488d1bb2dd8ce7e56d1

      SHA1

      339360c4d5ea378d4d67d23673087048467dd651

      SHA256

      97175b8f06020aeb9e474487fb0ca702074c0349ef670b2a9160170742e5c31b

      SHA512

      d500c276522aeaefd28fb73b56063d90c1b43888171f45d3db14e9a6ac7964f1b0150bc745f897d108632d0bbcc7c1bf560bb15a481fe4350b4bb1db54e7aa96

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini
      Filesize

      46B

      MD5

      0391cd89e17bf7b81e4a637a98ad6cf0

      SHA1

      2b56c9cde5fda0b73bcccbe5ea5b903c82361f4d

      SHA256

      54a256126db2625dbb3a4183cc0102a4463c0471f97c42b7b3b2b52c5575d6ae

      SHA512

      2ec450ff936f847bd9bf3a9ddc66c77762a978c08fcee60955bea9fb1055ba3b769a8f81bbecf88999a77594e48f4ccc0c68702dc73ff7b2d092cafe73bc62b5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nspEBC9.tmp\System.dll
      Filesize

      23KB

      MD5

      938c37b523d7fc08166e7a5810dd0f8e

      SHA1

      47b9663e5873669211655e0010e322f71b5a94be

      SHA256

      a91aa7c0ead677fc01b1c864e43e0cace110afb072b76ad47f4b3d1563f4dc20

      SHA512

      77afe83fb4e80a775dae0a54a2f0ff9710c135f9f1cf77396bc08a7fe46b016a8c079b4fa612e764eea5d258703f860688e38b443e33b1f980e04831739517c1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nspEBC9.tmp\TvGetVersion.dll
      Filesize

      696KB

      MD5

      41c3a6594060581d3bf1a16ed4ae6a72

      SHA1

      62bdf8c2a3fa5f70e8b25e83c946debf80c8fd47

      SHA256

      e35396c7d7e32a8fe771895ed9ea16bd85c8544410bf4dc70a42ccd2884cfd83

      SHA512

      3fee7ea74b4173b2815d631c8e69f5a21f2a170a46ce60424f9b9fb03cf7a35eab6933210497f851816a1a85eb3fdb682781ccb5e2607b7ade6dbc7a098368bd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nspEBC9.tmp\nsis7z.dll
      Filesize

      187KB

      MD5

      7fe20cee9277556f4ef137e61d29d9f5

      SHA1

      d53c37dbf548914ed20c8ebb21186a95beef1ee3

      SHA256

      5d71aaeefbc81732017e9040c8087e6686a16dd54e6d9bcd5ba7a47af68cc925

      SHA512

      a90250214c6c5048b098e031fca5a8097854a8667330551d7694740e3bc83f7d77791d314e3ac75617ef1834b75c41e3e3d3c74da9794a207894c13fb2d4bef7

      Download Submit
    • memory/3164-23-0x0000000006C00000-0x0000000006C32000-memory.dmp
      Filesize

      200KB

      Download