156cafa6da98a57e481aab74ef748726bd4dce2912536fb59e65d9a57a3ae7a7

Analysis

max time kernel
37s
max time network
39s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

microsoft-teams.exe
Size

1.4MB
MD5

092bff0405ab418fe22c565e231be2ba
SHA1

8aef2b7d83b3d5ae55b24f25ab6621bb2dea9287
SHA256

156cafa6da98a57e481aab74ef748726bd4dce2912536fb59e65d9a57a3ae7a7
SHA512

ea88a6265562f56914c68deb0f86f115b170b36297afa45bb59c3777ec056d50598ee055d7a3c1e10a6a24f84e96ece69a594715e43c9aa28ab76e63fc8da5f0
SSDEEP

24576:4NYuPOTryV7OXRiYZgJw2K9KS74fVyhfP0dhyaz/PxSbQOUP8oSf37Z3/UyD:MOX6743ZvFKS74Nwfahyazx0LZ3jD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	Update.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	microsoft-teams.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsoft-teams.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2664	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	Update.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2824	2172	microsoft-teams.exe	29
PID 2172 wrote to memory of 2824	2172	microsoft-teams.exe	29
PID 2172 wrote to memory of 2824	2172	microsoft-teams.exe	29
PID 2172 wrote to memory of 2824	2172	microsoft-teams.exe	29
PID 2172 wrote to memory of 2824	2172	microsoft-teams.exe	29
PID 2172 wrote to memory of 2824	2172	microsoft-teams.exe	29
PID 2172 wrote to memory of 2824	2172	microsoft-teams.exe	29
PID 2172 wrote to memory of 2664	2172	microsoft-teams.exe	31
PID 2172 wrote to memory of 2664	2172	microsoft-teams.exe	31
PID 2172 wrote to memory of 2664	2172	microsoft-teams.exe	31
PID 2172 wrote to memory of 2664	2172	microsoft-teams.exe	31

C:\Users\Admin\AppData\Local\Temp\microsoft-teams.exe
"C:\Users\Admin\AppData\Local\Temp\microsoft-teams.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=microsoft-teams.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8b1a9d809d46ea63b0b3383f86b4643

SHA1
7e595d62677e8c957a2a3a1ef3eedb1c24f9c552

SHA256
cdd8933563bf1504df8d304f1dbcb04dfd2e3173ab952de905031bc7e28bc39e

SHA512
cbe854e3c49267177ddd877f211a342c515d56978eb0ab6ac04aa1a1de6935e5bb3e9c0c2dc9033c902882b8df33add1523aca4e6d3ba838c33b47aa62daa107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea145406a0d7076591e5bfc624cc60ea

SHA1
5e6ff2a0b8dc7d34edd22fd194b6590390888789

SHA256
489fd0c0f9d1b5b3ad88a1f946d041d50168ec41a3d51f374db252bfe5cef334

SHA512
93df353f56ed235e7649004126c7e2f2f75c20003dac600eab3694f8a53bb7a76361affb0c89b67fb23ee5aeb10558d51cab611ada9bdd10ef3f6a0d57769816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca46720746112c35ab82883f0fa8c987

SHA1
7fdc060e346d61671be6c92336b8ad6968bf67d0

SHA256
d0aa374ad374637680e97bd62e2e90e9c4868f84083a7780af48d310f3be3f2e

SHA512
52d5c599e5293f4869935eea102f1a0a24668dc17e2b94429473b6a449c2105b554d9dcc63b9bb12d57c11938764109f6ad9a48bd264381f29187600b0b4ebf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bd50bcad3871606e8b4836ce9b035a7

SHA1
1bd1c294704a126702932886179c7748f5569ad2

SHA256
4c2c295c542d7485ad194744527aa8b1411b2b83f1631b63fd988c3f280bfaa9

SHA512
989b5cf55a67b24dcd47c6f9ad70868d8d7dfc7f9d3732177a7f7d1349ff010be2e254b6e900161901f86929c30ee4efbfc40f38e82768829135feae78d70d13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bd349c920c97d7709eae5807dc186f7

SHA1
de82e1cf910039bf963ad5b27e6eb8371f442296

SHA256
c042c9f8d0678117dcf69d85891a7d8606db4882b68444aab20b923c6108ffb9

SHA512
d2c777c9e67f44d6c6adfb2c283a3a398771c3772e40ae6b039bf65bfa7a06f4978c9b0f000a72acf73020541c0c5b9f7ef811c3f65fe8a71f106beb57198231

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log

Filesize
67KB

MD5
30799ac0211c096a5648bd55e8f00ffa

SHA1
1f06d5f140e7552c88befb73dad967d7b4209794

SHA256
605e1df75a6459ca19f39944d8f07107b8ac0989f7d10076fc2c971980009c1b

SHA512
c000c0d7b97e6d2281a9197885f6716bfa82f6ab8f94f0a141c47013b246205483075bb9e060c6acc1ccf4f68ee64a6c6b5b436aac7750307ad3ba56f01ba004

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
344B

MD5
677cab9a8b50ad026cfa7625a35dd2d7

SHA1
236780c5fbf2d5607f7cb165549584c9153112a2

SHA256
07890dda20815e1e57dca9553f5dfcff1b85f4a4369685d4991599e2618978f0

SHA512
d1863063926b405a6bade3327cfde25983d94e626d568abbdbdff9ae95e00061ed9ca80cc03a826c2144e4469a2734ea887a6c56ae0ed0caf70ce0077d219162

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3297.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar32F7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.4MB

MD5
55d2be3ea0dc1dcaeefddd7ed12c05e9

SHA1
f7be8b87f666f90b0e55c1d95bad9e048cde3b91

SHA256
5caccd37e4df62dcf709605de3f79664de7190534b56cd69bcc96bdf0f939437

SHA512
347588473c93dc0f830509eabb2e62927c8a48aec3e537c1d9af8e0826c5ed4fc321ab0ec4f1bd18cabd328e236118a3d7ba7f72c4343128daba59631d9f91ee

Download Submit
memory/2824-15-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-14-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/2824-12-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-11-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2824-10-0x0000000000A80000-0x0000000000CE2000-memory.dmp

Filesize
2.4MB

Download
memory/2824-1041-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-9-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download