c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/12/2024, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSTeamsSetup.exe
Size

1.4MB
MD5

7ee6219d0f497752aa7f1c129ca50bc1
SHA1

68bec1b6c594b6bdaf74b4062e4b3c477aa6a1ad
SHA256

c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0
SHA512

a91760aeb550d5683ce0222f40addb3507b79ccf10199c6c5a4773d3b3fc0bcf874360202bfcdca0871da5efe94b94b24fecb72dd5ebeca02939928c5a534094
SSDEEP

24576:E9Yu8GgnSf7uw7J8qyKD0OIqKT//pIgl6A5H2TuDWkd3WZZ7SuW42C7Z32o3:zGMo7NSK/Iqwp/6A5Wgz501SuWYZ3V

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2084	Update.exe

Loads dropped DLL 1 IoCs

pid	Process
2340	MSTeamsSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSTeamsSetup.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2076	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	Update.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2084	2340	MSTeamsSetup.exe	30
PID 2340 wrote to memory of 2084	2340	MSTeamsSetup.exe	30
PID 2340 wrote to memory of 2084	2340	MSTeamsSetup.exe	30
PID 2340 wrote to memory of 2084	2340	MSTeamsSetup.exe	30
PID 2340 wrote to memory of 2084	2340	MSTeamsSetup.exe	30
PID 2340 wrote to memory of 2084	2340	MSTeamsSetup.exe	30
PID 2340 wrote to memory of 2084	2340	MSTeamsSetup.exe	30
PID 2340 wrote to memory of 2076	2340	MSTeamsSetup.exe	32
PID 2340 wrote to memory of 2076	2340	MSTeamsSetup.exe	32
PID 2340 wrote to memory of 2076	2340	MSTeamsSetup.exe	32
PID 2340 wrote to memory of 2076	2340	MSTeamsSetup.exe	32

C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MSTeamsSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=MSTeamsSetup.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log

Filesize
3KB

MD5
3ddbb9c0fd8318ae6ca8e64a1ba0a126

SHA1
81c94e72c849495d6a1ec2bde729df15ac124f18

SHA256
e78143f87f8bc5142aad0a8c4812675e9066a0508886a255883d11e27e1be7df

SHA512
a09ea6e4b267e7cc9063deb3253c8e48bccd8424ec6c9180fa2d9b9242c8286c5d82105ef9f09f7d91849971679c6775e4a57228911d25f34dc327b9e392bd83

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
610B

MD5
34b2a3afe7ae8ad113f54e64d2f62111

SHA1
c0afa4727bab161b777363fd49225d7ef084c16e

SHA256
1578d085af8165ef971cbb88d327e07c2b82c34eff379fcb2ab030a188b2981d

SHA512
d6a8a70603157f0cf4b4d2a2992b8082d30e35aab7e47f973e8bde5841dc5528f7a62a8d3889093343f0a806a1161965126140345ffcb4cb0dbd36e56f155720

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
b690b2420b21107e633b4e325768c1d0

SHA1
8f3faaab9eb83af7eb1c9963230e5980642c1dfb

SHA256
1f2a34f84b7f4171bcd0d40c80acee8aef0d9dc3529deb3e372bae180f571c14

SHA512
64b900fb5cefb8dec747c768061ea95d4ae2202127ae41cad46a59ab5e5cdfaaa78743d6383241a124e3ee4e2015566eb8f05285e16c12669745e23d293c90f6

Download Submit
memory/2084-9-0x0000000073D8E000-0x0000000073D8F000-memory.dmp

Filesize
4KB

Download
memory/2084-10-0x0000000000DE0000-0x000000000105A000-memory.dmp

Filesize
2.5MB

Download
memory/2084-11-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2084-12-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-19-0x0000000073D80000-0x000000007446E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-20-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download