Analysis
-
max time kernel
118s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 23:02
Behavioral task
behavioral1
Sample
d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe
Resource
win7-20240903-en
General
-
Target
d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe
-
Size
1.5MB
-
MD5
0afecbd0a3caa90bf507df6162b8b89e
-
SHA1
ef4b5c7acfd436259b158cd341ad82192218dfcd
-
SHA256
d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36
-
SHA512
9779c28888c00dc99707e7a40c0a16ff7560bc75ba817bb8273395fdcbd5410b0ce07e89f55b793141e0fb912ae0f05392305219810a49ff9d9619a02911e2ee
-
SSDEEP
24576:+2njEFW/SL0drqNWhzImvifsfEjK7PKPP+EbHMHus3ufK7fura6tuo4x527g:JngrwdrqIhzImvi0sFPP+EB1jtuF52k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe -
Executes dropped EXE 1 IoCs
pid Process 1172 TeamViewer.exe -
Loads dropped DLL 9 IoCs
pid Process 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 1172 TeamViewer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3188-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3188-63-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TeamViewer.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 TeamViewer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64 TeamViewer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1172 TeamViewer.exe 1172 TeamViewer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3188 wrote to memory of 1172 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 82 PID 3188 wrote to memory of 1172 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 82 PID 3188 wrote to memory of 1172 3188 d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe"C:\Users\Admin\AppData\Local\Temp\d0b80b82653285a86d54ecbdbb3dfa5a4eedf580288cdcdc77717c1548c26f36.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe"C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe" --qsc --pw ""2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1172
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD59459a28dbb2752d59eaa8fbb5cf8c982
SHA14ad7eb230cf6d05df967037225fa19dd385bf7cb
SHA2564688dcd01db816485a770cb8fc047fef9a408f3dbec5a2c83752fee115ce6963
SHA5127dff6414f4215aa4c7a168158b4ac5dd422c7dd35c6af58bce658c6bf9bf5a3545a5ee0db5f5d47a17c7ae53cb54551b98b492137e36c73e684b2041d775cd97
-
Filesize
10KB
MD5cfbae93f361e2b430743e423709a483f
SHA19d31546592a9e6817025cc5026fee769e9a6c015
SHA2560f4aac375087f0a5df393d7463bd462193008922136a2aba8619736223ba7add
SHA512485bc9c83087a1a6f48a5508ee390384c2db93b9d50c295280337dad78b47f65aaa0caea8d6d23ef25f86b73cd2e724cb88a738f6b53037e47225c6522f912b3
-
Filesize
6KB
MD5409b195108f014b032eb5dd36ca17a12
SHA14544950c7c081fb0aeba7971bcf46f2761430f4e
SHA25652b487ff38814953eae017f2751f8e2fed7284f6faa250266cbd8d749547695f
SHA512fe981570f6642933c36bbd7b1fef0d7e469600d44ea9e3b94ad94e1b6bb81c98c74c0d1c8673385443daaa3750de4e7eedc49aaf38ccc56c09e2d141e27068db
-
Filesize
3.7MB
MD5e15725a55477504ac78a4760b86c7ea3
SHA14ce4ff8d2417c10793c072b1534f4e4a42d10ba6
SHA25681f725fcf5faace66c3bc3ef72468bd80597b5f4474a4441bce4c665e4dac6d4
SHA5120ce320063a646e81e9750b92e21f91e6a74ab9b296a2163c2e51dbd432b0aac11859b63904dc22abe29572eafa9eac9c5f574de42f9206f577fc6a22b137013f
-
Filesize
542B
MD578a6846fe5b1a88197638158ff477b46
SHA172d8fdd39917b2523a250da57b455eac83bc2574
SHA2565d73a02cce54639cb68303515b551e7203151fb3cb6db7eba6094a4a381a7534
SHA5121f0817267d3a077bba1e66da2658045f1f65e00ac0a6c8c6179a27dfc615d233c03bf6acc2c3cd87b78d4014e8a9af84bcbe9a2c88cd98ec7ab14909f42d93b3
-
Filesize
39KB
MD536b0c93bfad92bafa45960e6386b0cec
SHA1ef6f2e3c3ab2038e16a000bcdb341a9e94e9cdb2
SHA25601742bf0894f1f86bcd4200d8d26b254248e99f9d656993b93bd3b5c553b0cc0
SHA5126ac361bc1b556156123d5d8720992a7522600ebf883c6747deb560f9ebfd4746640c6f8d104ffcf71f7c6bf5832145f6921ca38e8ed685d852bee9c10db9ebc6
-
Filesize
96KB
MD55a3ebc8826fb07feb11f48a86a1eaed1
SHA1de801f5968c29a7078740e45aa340b862ec70c55
SHA25628f18a801edc53df266168bb47f8d9ff3b98cbb6e2c84fa042c7591213a6f3f1
SHA512edab11c5740799d58fdd0799d0f86c50e0ad53d32904da5d86fc81a13da32a454085e2d5a05473b771580fd13ba1fb64cd0d6794244f3369a154ff5ed52d669b