Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 08:37

General

  • Target

    044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe

  • Size

    18.2MB

  • MD5

    1fe6953cfe807f836f5d651562a8a780

  • SHA1

    54b01acdcc8f1bb05ce8eb055d6d92d52e681ee8

  • SHA256

    044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3

  • SHA512

    f7d2c44f9d53abe6071edfcd0b66f81e9b4ee763709aaa1f36dbc96b7d7b74bef1ed3c98d1fb6980f02791433a4fbbe88374b7a18024d6796600127ec1a0b406

  • SSDEEP

    393216:4vIDnftIjroMG8hgpZ/fxTAcn3rzhOj9XQFsE:4vIDlSUMG3zxZ3rNOxgt

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe
    "C:\Users\Admin\AppData\Local\Temp\044c5577aaaea092dd5a213de19138675e8182588709cda7ccb94ebaaf8a3df3.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1712
      • C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe
        "C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_w32.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer15_Logfile.log
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:892
      • C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe
        "C:\Users\Admin\AppData\Local\Temp\TeamViewer\tv_x64.exe" --action hooks --log C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer15_Logfile.log
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        PID:1396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab1086.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_w32.dll

    Filesize

    414KB

    MD5

    e0df893281227746a41ebaced6967a3c

    SHA1

    9e5a819290b88e5384949ddca7fe24888c994842

    SHA256

    321a0640c0a25d26497aa632af8420e164fcdcaea00c5f07e8b8a7ddc9a466b8

    SHA512

    a9c8efec5754b050419327eae6af6db6d48acc1189176cc4ade4516a181af86c4809e937c92a2d4f93340dc8262ab2d8a631fc39bd7f739138a490d34f552669

  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_w32.exe

    Filesize

    337KB

    MD5

    eb84e8c922f79023b0b4fb5e5ef02648

    SHA1

    f6c3a35fb741eee701e900a8ba6c29072622dfc9

    SHA256

    455c4734a7496a3936651de9c1ca25e9d39246e1a5c040db6fe68646f94664b1

    SHA512

    722254048f6e2b01c51172bec8fc9a70bcc8543d5cc3db93d90d9c2865515926a744aaaf578d71676658339937abadd1b17f2bbc8d1cf82d4583085ca6b01f85

  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_x64.dll

    Filesize

    527KB

    MD5

    82ba1cf2601d4354c1a240dc34aa61ce

    SHA1

    92cbb732030ac7f3691110ab72d7dc602d90f559

    SHA256

    780743609d97c03f9a584a424f772d537c132b4d542b1d256b485505d8151519

    SHA512

    913b698e3efb096f1317b82c8e11dcbf2afc830ad62995b1eef9a9d2c775bc5aee1997a51b1715f947f578f98166b0c880a0fd5db152738fb19ec644bb74a8cf

  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TV_x64.exe

    Filesize

    403KB

    MD5

    6b4b69f8a5b48b893bee59fb5910e9a9

    SHA1

    bcf7efd86ec6f1adc29344852251d7247dffb49f

    SHA256

    a0710f17f651dc5439d0412fbd634f9743a7a997c883d9a5d798891b37e8adb0

    SHA512

    c62da0bdee4fe11eb2ccc2ae6338d879d6720f090f814b728cb0f74375c7172c4b1ed164b3664e4221bfd925a2287ae5eda37f9de24233a098289b4bc3b25ec7

  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_StaticRes.dll

    Filesize

    6.5MB

    MD5

    ef12cf1f76438c0bb0c578c139ef6dea

    SHA1

    d4abc9931c8e81898d063cd5b79e0d12e5532732

    SHA256

    03be082eb66a3083d8f22a534ff1307d2e642646887565f9c0cd2db48ce45a2b

    SHA512

    294a1cf7567e5902382842e8b56d9c42c67f86642f98d0c08bd9fd51c8c9eec674ea02b8a1802148d83cf9d1e028cecea66fa68f9397e421059151a46651db2d

  • C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

    Filesize

    94B

    MD5

    7505588f0ac71f1e313828c932128514

    SHA1

    2978f9a5ad376040ca0ada0f44755b81c3a225a7

    SHA256

    1d9cd38aa5a5d75dfd93df596cad8af0b01d72d776ddffd6ebc3d3825a764281

    SHA512

    6f1e3555fc6e7c570fb80dff8ddf50ae67d08f327712d339477de912329a55f2e019c2912fb142becc20a091eaf8c6d9e202d59b135aa16b3e75c26d38f84b19

  • C:\Users\Admin\AppData\Local\Temp\nsyC5E0.tmp\TvGetVersion.dll

    Filesize

    224KB

    MD5

    6ea2ec55f6f06468ee2c42a91bdd2e53

    SHA1

    f78eee0d1fa4f3995d6fc103089ba5561b9028b5

    SHA256

    9675e04270294129d6d199ebb06f62b10abc08a0742bd7e5b776187252b02a39

    SHA512

    ff2d9eefda7e069e4f9fca75cf1841dab81efd17d87ce326a7c05b7818743f398c4ee3159adf2bd8f5ac9a3ba9dfd902263dba4fd68a12a68ce78fd3493f1463

  • C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer15_Logfile.log

    Filesize

    7KB

    MD5

    cd1c403f3bca42f66756aa4ca45dad59

    SHA1

    781e59d58b601f105f836b8d063d7271828cad29

    SHA256

    c895cc4f46f338f2ed90cf6e7b58770c3c80fe9524105e93885052de799ec6a4

    SHA512

    1e31c50f63cb2d20920041d6b6c662c75e51a90bb769404e9f35cdf449409ede224952eaf78f81376cdae54ccd74bd8eec6b972c4dab6242eba6131e67218e63

  • C:\Users\Admin\AppData\Roaming\TeamViewer\TeamViewer15_Logfile.log

    Filesize

    8KB

    MD5

    9c7c507f5d7549401da1a724468afd94

    SHA1

    f55061535dcb087d521bb51dbf69d8bdbbbea968

    SHA256

    d4a731f8b2f645d08284c010f94cf160c228f80797e8dce161e2b9079fae3ff7

    SHA512

    b4e8f15340b830971022c899f686a0100afc494fef994e13e74e1a136229624ad06df0d5e1ca1f9cbbbb59b5efc791009a2001486e8a9075562bb1c51d4c5689

  • \Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer.exe

    Filesize

    35.4MB

    MD5

    da10b2ff635ce44295c8c02cb6873a90

    SHA1

    9d8fa5e6f0e1625ec6cbc9f70b71e3373c800924

    SHA256

    e8d07ac7f56642bfbfaffb80960557eae51c0116358ac100d8a6a64b9c1d0dfb

    SHA512

    fbe71897fc26d15fb8593cf68d48e3c29c0432004611624247ecc0bd97287816642eb32fd3a4e9724b747c38f1d9d4f9e4113cb9782808d7b1ed56fb40ee30e7

  • \Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_de.dll

    Filesize

    400KB

    MD5

    449c267416e617379ec332ee304f50b5

    SHA1

    db49249b7679fd8025639c0f2b4aaa6f5e97caa2

    SHA256

    bc1b81a0363608c50db2a6e31541024dc03273ef147be0abd1c41bd429871534

    SHA512

    ef3394484de8f855425c1ce4d73d4f28c31f3aaa661120b39363637b8e7ec5a9601bfa5ef4d5836c8fc1b31a5b86e94da73c2de35ad49f8f381ce49ff140da21

  • \Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_Resource_en.dll

    Filesize

    349KB

    MD5

    a3d439ecc28616d1ddf6997877832c0a

    SHA1

    7214c73359edd90fe5b591e00da812811bc3850c

    SHA256

    5d7dad1d8aba2e521b597a0ccfe90848e15871dd979fda5358e3f2156a83e260

    SHA512

    70f183dcd8d3b8fa6fc2d96d5034faa77bbe1a9c4e37af656e2cf9e9ae2445960949151a3862fed86606fa3a147700be414fe5b57fc1677cfef9ad1057e48d5e

  • \Users\Admin\AppData\Local\Temp\nsyC5E0.tmp\System.dll

    Filesize

    11KB

    MD5

    0ff2d70cfdc8095ea99ca2dabbec3cd7

    SHA1

    10c51496d37cecd0e8a503a5a9bb2329d9b38116

    SHA256

    982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

    SHA512

    cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

  • \Users\Admin\AppData\Local\Temp\nsyC5E0.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    d6c3dd680c6467d07d730255d0ee5d87

    SHA1

    57e7a1d142032652256291b8ed2703b3dc1dfa9b

    SHA256

    aedb5122c12037bcf5c79c2197d1474e759cf47c67c37cdb21cf27428854a55b

    SHA512

    c28613d6d91c1f1f7951116f114da1c49e5f4994c855e522930bb4a8bdd73f12cadf1c6dcb84fc8d9f983ec60a40ac39522d3f86695e17ec88da4bd91c7b6a51

  • \Users\Admin\AppData\Local\Temp\nsyC5E0.tmp\nsis7z.dll

    Filesize

    175KB

    MD5

    87853c0f20f065793bdc707ece66190b

    SHA1

    738e11a9a565923ec75400a0cd4bce4db257b21d

    SHA256

    66b2f36274ddfeef35b1d6ae6e5755f834446e5d78a719063347543793987161

    SHA512

    febfcd11795f4ef0ff3d25cbf1856be01e7f6423a9f16028c927988c04ab21de5f0b076d7f4ce9294aa7603c0db61ea5ffb888af2e9f7c6a6a11bcabfe9795a2

  • memory/1712-228-0x0000000004F70000-0x0000000004F7A000-memory.dmp

    Filesize

    40KB

  • memory/1712-227-0x0000000004F70000-0x0000000004F7A000-memory.dmp

    Filesize

    40KB

  • memory/1712-229-0x0000000004F70000-0x0000000004F7A000-memory.dmp

    Filesize

    40KB

  • memory/2916-23-0x00000000003E4000-0x00000000003E5000-memory.dmp

    Filesize

    4KB

  • memory/2916-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

  • memory/2916-25-0x00000000003E4000-0x00000000003E5000-memory.dmp

    Filesize

    4KB

  • memory/2916-36-0x00000000004D0000-0x0000000000502000-memory.dmp

    Filesize

    200KB