ced3a5d2fe45bdf9ee7a95ad64ca5034e5a23bbca315889c7f2041c4e0a973fc

Analysis

max time kernel
134s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/TeamViewer/Version4/TeamViewer_.exe
Size

1.4MB
MD5

76d48872ed7b15e077120498d3ac3f07
SHA1

523a7528e1e2e58cc224aa974456969f8f91a820
SHA256

5cd3660829c4b3d8f7fafdb93c8b82c11198f6910662c09c92f65ac6035df7d1
SHA512

c3365c86aa5f5a171f2289eb3ee1f00368451553ccda9052e229cff35c94859c5dacd5d88a36d994c52c4b73502d7654b5dc0994c75437b1569d472fb229b8b3
SSDEEP

24576:eiT9MV7CCLSvhWZtGRbCr7EpmACmacCZ0ClEtgcR6i1G3SZrbAQ39xKRsyVDgNMy:7T9MvOvQO+r7nAGZ0iYX6nSVFXByVgN1

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	TeamViewer_.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	TeamViewer.exe

Loads dropped DLL 7 IoCs

pid	Process
860	TeamViewer_.exe
860	TeamViewer_.exe
860	TeamViewer_.exe
860	TeamViewer_.exe
860	TeamViewer_.exe
860	TeamViewer_.exe
2744	TeamViewer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/860-0-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral4/memory/860-50-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QS\SAS.exe	TeamViewer.exe
File opened for modification	C:\Program Files (x86)\QS\SAS.exe	TeamViewer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	TeamViewer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2744	TeamViewer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2744	860	TeamViewer_.exe	87
PID 860 wrote to memory of 2744	860	TeamViewer_.exe	87
PID 860 wrote to memory of 2744	860	TeamViewer_.exe	87

C:\Users\Admin\AppData\Local\Temp\$TEMP\TeamViewer\Version4\TeamViewer_.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\TeamViewer\Version4\TeamViewer_.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe
  "C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc6591.tmp\Base64.dll

Filesize
456KB

MD5
9459a28dbb2752d59eaa8fbb5cf8c982

SHA1
4ad7eb230cf6d05df967037225fa19dd385bf7cb

SHA256
4688dcd01db816485a770cb8fc047fef9a408f3dbec5a2c83752fee115ce6963

SHA512
7dff6414f4215aa4c7a168158b4ac5dd422c7dd35c6af58bce658c6bf9bf5a3545a5ee0db5f5d47a17c7ae53cb54551b98b492137e36c73e684b2041d775cd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc6591.tmp\GetVersion.dll

Filesize
5KB

MD5
c6910d6e78c2e5f9d57d0bc6d8f6b736

SHA1
a395099062298b3f3c015359b227ca02a72c6e2c

SHA256
b2c32af2b0d75dfd08ae4e1ad7c5897957240b32bf7a16855d6a46512d272b9b

SHA512
4cd45b887ce5b7fecfd863cae83817465d7378cc9f5b50f5762d5f209c55a37257d94e91dea4c91c66f2c5bf22cdc1f5545eeef52a090f05cceeedf59bbd2a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc6591.tmp\System.dll

Filesize
10KB

MD5
0b96e50e5fd9b241435cfec46600b5a7

SHA1
1f79688c6bdd78b4e1812b110fd16d27c59b32d5

SHA256
10841d8d0a0fa457a62be63af7e30e72ffaec265470dbe16c0d61cc5b111d1e6

SHA512
01a5884ce81a622f81da23c4075aef4cbe68d18471908bb6082ad98bfd002c8a6c2b8069d250df0320cde22ad76eedc14a5d9369b370c2012d58575720da48b7

Download Submit
C:\Users\Admin\temp\TeamViewer\Version4\SAS.exe

Filesize
53KB

MD5
bf3bcd752bdabfa1f1e84b7462738103

SHA1
34cb8ea7d47467cace271e03b7869f37b0ecb30a

SHA256
90fe790e189c384f2ab82958057f91fdf40888c2ed3c0471bd7b85d5b36c7810

SHA512
6d5362c4d354319845f4522e0d1132c32a6779efc4c013c8c7bd489fddf39cbb5dfb72b135487b660d156d7774e5be4acc03c3fcecdb6dabcfad12630a3f5955

Download Submit
C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe

Filesize
3.4MB

MD5
0337483f5fd42db82837d6927eb522e9

SHA1
9011557916c89e5a0571a95646a9374ad7c174fc

SHA256
5ea676632a55b195ad1a6a84cd6af24404482ef6357f73d77c76eb43f57e3845

SHA512
3477299ddf80b0a81d6236e4f111c236ee4c6fee4c9982d534be716d4794d86287582b12393ba9de0a67730642190706ee0f96cf11a67efedd88b7b4991d12be

Download Submit
C:\Users\Admin\temp\TeamViewer\Version4\tv.dll

Filesize
64KB

MD5
4b030749eef3498b8efbaf2877a59fb5

SHA1
70d65a57582fa7145bcf7198e0751e5a3bfffcc5

SHA256
ee4f367a4074fa13d15eb17ae9e140d38b249959a29d6e4146c0577df2fed01b

SHA512
9a265c06a377bbcaba9b6b0e2752657701fd1fb82613d7ba520e4739108951d0059e1c8d7533a3e94928e5971a9d2fc575d3adc67f4ac768f844c63a5e11e8c7

Download Submit
memory/860-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-33-0x0000000010000000-0x00000000100A0000-memory.dmp

Filesize
640KB

Download
memory/860-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-55-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2744-56-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download