Overview
overview
5Static
static
3044c5577aa...f3.exe
windows7-x64
5044c5577aa...f3.exe
windows10-2004-x64
5$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...LA.rtf
windows7-x64
4$PLUGINSDI...LA.rtf
windows10-2004-x64
1$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 08:37
Static task
static1
Behavioral task
behavioral1
Sample
044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/TeamViewer_EULA.rtf
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/TeamViewer_EULA.rtf
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/TvGetVersion.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/TvGetVersion.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
General
-
Target
044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe
-
Size
18.2MB
-
MD5
1fe6953cfe807f836f5d651562a8a780
-
SHA1
54b01acdcc8f1bb05ce8eb055d6d92d52e681ee8
-
SHA256
044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3
-
SHA512
f7d2c44f9d53abe6071edfcd0b66f81e9b4ee763709aaa1f36dbc96b7d7b74bef1ed3c98d1fb6980f02791433a4fbbe88374b7a18024d6796600127ec1a0b406
-
SSDEEP
393216:4vIDnftIjroMG8hgpZ/fxTAcn3rzhOj9XQFsE:4vIDlSUMG3zxZ3rNOxgt
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TeamViewer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation TeamViewer.exe -
Executes dropped EXE 3 IoCs
Processes:
TeamViewer.exetv_w32.exetv_x64.exepid process 1712 TeamViewer.exe 892 tv_w32.exe 1396 tv_x64.exe -
Loads dropped DLL 24 IoCs
Processes:
044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exeTeamViewer.exetv_w32.exetv_x64.exepid process 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 1712 TeamViewer.exe 844 892 tv_w32.exe 1396 tv_x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exeTeamViewer.exetv_w32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TeamViewer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tv_w32.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
tv_x64.exetv_w32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust tv_w32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates tv_w32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates tv_x64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs tv_x64.exe -
Processes:
TeamViewer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 TeamViewer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 TeamViewer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 TeamViewer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 TeamViewer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
TeamViewer.exepid process 1712 TeamViewer.exe 1712 TeamViewer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
TeamViewer.exepid process 1712 TeamViewer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
TeamViewer.exepid process 1712 TeamViewer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TeamViewer.exepid process 1712 TeamViewer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exedescription pid process target process PID 2916 wrote to memory of 1712 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe TeamViewer.exe PID 2916 wrote to memory of 1712 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe TeamViewer.exe PID 2916 wrote to memory of 1712 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe TeamViewer.exe PID 2916 wrote to memory of 1712 2916 044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe TeamViewer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe"C:\Users\Admin\AppData\Local\Temp\044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe"C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer15_Logfile.log3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe"C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer15_Logfile.log3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:1396
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
414KB
MD5e0df893281227746a41ebaced6967a3c
SHA19e5a819290b88e5384949ddca7fe24888c994842
SHA256321a0640c0a25d26497aa632af8420e164fcdcaea00c5f07e8b8a7ddc9a466b8
SHA512a9c8efec5754b050419327eae6af6db6d48acc1189176cc4ade4516a181af86c4809e937c92a2d4f93340dc8262ab2d8a631fc39bd7f739138a490d34f552669
-
Filesize
337KB
MD5eb84e8c922f79023b0b4fb5e5ef02648
SHA1f6c3a35fb741eee701e900a8ba6c29072622dfc9
SHA256455c4734a7496a3936651de9c1ca25e9d39246e1a5c040db6fe68646f94664b1
SHA512722254048f6e2b01c51172bec8fc9a70bcc8543d5cc3db93d90d9c2865515926a744aaaf578d71676658339937abadd1b17f2bbc8d1cf82d4583085ca6b01f85
-
Filesize
527KB
MD582ba1cf2601d4354c1a240dc34aa61ce
SHA192cbb732030ac7f3691110ab72d7dc602d90f559
SHA256780743609d97c03f9a584a424f772d537c132b4d542b1d256b485505d8151519
SHA512913b698e3efb096f1317b82c8e11dcbf2afc830ad62995b1eef9a9d2c775bc5aee1997a51b1715f947f578f98166b0c880a0fd5db152738fb19ec644bb74a8cf
-
Filesize
403KB
MD56b4b69f8a5b48b893bee59fb5910e9a9
SHA1bcf7efd86ec6f1adc29344852251d7247dffb49f
SHA256a0710f17f651dc5439d0412fbd634f9743a7a997c883d9a5d798891b37e8adb0
SHA512c62da0bdee4fe11eb2ccc2ae6338d879d6720f090f814b728cb0f74375c7172c4b1ed164b3664e4221bfd925a2287ae5eda37f9de24233a098289b4bc3b25ec7
-
Filesize
6.5MB
MD5ef12cf1f76438c0bb0c578c139ef6dea
SHA1d4abc9931c8e81898d063cd5b79e0d12e5532732
SHA25603be082eb66a3083d8f22a534ff1307d2e642646887565f9c0cd2db48ce45a2b
SHA512294a1cf7567e5902382842e8b56d9c42c67f86642f98d0c08bd9fd51c8c9eec674ea02b8a1802148d83cf9d1e028cecea66fa68f9397e421059151a46651db2d
-
Filesize
94B
MD57505588f0ac71f1e313828c932128514
SHA12978f9a5ad376040ca0ada0f44755b81c3a225a7
SHA2561d9cd38aa5a5d75dfd93df596cad8af0b01d72d776ddffd6ebc3d3825a764281
SHA5126f1e3555fc6e7c570fb80dff8ddf50ae67d08f327712d339477de912329a55f2e019c2912fb142becc20a091eaf8c6d9e202d59b135aa16b3e75c26d38f84b19
-
Filesize
224KB
MD56ea2ec55f6f06468ee2c42a91bdd2e53
SHA1f78eee0d1fa4f3995d6fc103089ba5561b9028b5
SHA2569675e04270294129d6d199ebb06f62b10abc08a0742bd7e5b776187252b02a39
SHA512ff2d9eefda7e069e4f9fca75cf1841dab81efd17d87ce326a7c05b7818743f398c4ee3159adf2bd8f5ac9a3ba9dfd902263dba4fd68a12a68ce78fd3493f1463
-
Filesize
7KB
MD5cd1c403f3bca42f66756aa4ca45dad59
SHA1781e59d58b601f105f836b8d063d7271828cad29
SHA256c895cc4f46f338f2ed90cf6e7b58770c3c80fe9524105e93885052de799ec6a4
SHA5121e31c50f63cb2d20920041d6b6c662c75e51a90bb769404e9f35cdf449409ede224952eaf78f81376cdae54ccd74bd8eec6b972c4dab6242eba6131e67218e63
-
Filesize
8KB
MD59c7c507f5d7549401da1a724468afd94
SHA1f55061535dcb087d521bb51dbf69d8bdbbbea968
SHA256d4a731f8b2f645d08284c010f94cf160c228f80797e8dce161e2b9079fae3ff7
SHA512b4e8f15340b830971022c899f686a0100afc494fef994e13e74e1a136229624ad06df0d5e1ca1f9cbbbb59b5efc791009a2001486e8a9075562bb1c51d4c5689
-
Filesize
35.4MB
MD5da10b2ff635ce44295c8c02cb6873a90
SHA19d8fa5e6f0e1625ec6cbc9f70b71e3373c800924
SHA256e8d07ac7f56642bfbfaffb80960557eae51c0116358ac100d8a6a64b9c1d0dfb
SHA512fbe71897fc26d15fb8593cf68d48e3c29c0432004611624247ecc0bd97287816642eb32fd3a4e9724b747c38f1d9d4f9e4113cb9782808d7b1ed56fb40ee30e7
-
Filesize
400KB
MD5449c267416e617379ec332ee304f50b5
SHA1db49249b7679fd8025639c0f2b4aaa6f5e97caa2
SHA256bc1b81a0363608c50db2a6e31541024dc03273ef147be0abd1c41bd429871534
SHA512ef3394484de8f855425c1ce4d73d4f28c31f3aaa661120b39363637b8e7ec5a9601bfa5ef4d5836c8fc1b31a5b86e94da73c2de35ad49f8f381ce49ff140da21
-
Filesize
349KB
MD5a3d439ecc28616d1ddf6997877832c0a
SHA17214c73359edd90fe5b591e00da812811bc3850c
SHA2565d7dad1d8aba2e521b597a0ccfe90848e15871dd979fda5358e3f2156a83e260
SHA51270f183dcd8d3b8fa6fc2d96d5034faa77bbe1a9c4e37af656e2cf9e9ae2445960949151a3862fed86606fa3a147700be414fe5b57fc1677cfef9ad1057e48d5e
-
Filesize
11KB
MD50ff2d70cfdc8095ea99ca2dabbec3cd7
SHA110c51496d37cecd0e8a503a5a9bb2329d9b38116
SHA256982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
SHA512cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e
-
Filesize
9KB
MD5d6c3dd680c6467d07d730255d0ee5d87
SHA157e7a1d142032652256291b8ed2703b3dc1dfa9b
SHA256aedb5122c12037bcf5c79c2197d1474e759cf47c67c37cdb21cf27428854a55b
SHA512c28613d6d91c1f1f7951116f114da1c49e5f4994c855e522930bb4a8bdd73f12cadf1c6dcb84fc8d9f983ec60a40ac39522d3f86695e17ec88da4bd91c7b6a51
-
Filesize
175KB
MD587853c0f20f065793bdc707ece66190b
SHA1738e11a9a565923ec75400a0cd4bce4db257b21d
SHA25666b2f36274ddfeef35b1d6ae6e5755f834446e5d78a719063347543793987161
SHA512febfcd11795f4ef0ff3d25cbf1856be01e7f6423a9f16028c927988c04ab21de5f0b076d7f4ce9294aa7603c0db61ea5ffb888af2e9f7c6a6a11bcabfe9795a2