Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 5, 2024, 9:26 a.m.	Aug. 5, 2024, 9:29 a.m.

Size	3.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, Nullsoft Installer self-extracting archive
MD5	`80686d8a775b129d069d232978b94248`
SHA256	`1a87e111bfd5d1b730faa9f7f77f3e0d85eb9c3c8679d7f90c7160d1c989cb3d`
CRC32	`17FC74C0`
ssdeep	`98304:QMhCAKEwXPrQquKa0ce0ol1z1XMGgVOWTyGYKHiehURADe:Q7WKaHe0ol19Zede`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

qs.exe "C:\Users\test22\AppData\Local\Temp\qs.exe"
2564
- TeamViewer.exe "C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer.exe"
  2688

Name	Response	Post-Analysis Lookup
ping3.dyngate.com
master16.teamviewer.com	A 185.188.32.26	185.188.32.26

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.188.32.26	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49177 -> 185.188.32.26:80	2009475	ET POLICY TeamViewer Dyngate User-Agent	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 5, 2024, 9:26 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 5, 2024, 9:26 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Starts servers listening (6 events)

Time & API	Arguments	Status	Return
bind Aug. 5, 2024, 9:26 a.m.	ip_address: 127.0.0.1 socket: 868 port: 0	1	0
listen Aug. 5, 2024, 9:26 a.m.	socket: 868 backlog: 2147483647	1	0
accept Aug. 5, 2024, 9:26 a.m.	ip_address: socket: 868 port: 0	1	884
bind Aug. 5, 2024, 9:26 a.m.	ip_address: 127.0.0.1 socket: 6108 port: 6039	1	0
listen Aug. 5, 2024, 9:26 a.m.	socket: 6108 backlog: 2147483647	1	0
bind Aug. 5, 2024, 9:26 a.m.	ip_address: 0.0.0.0 socket: 7064 port: 0	1	0

Performs some HTTP requests (3 events)

request	GET http://master16.teamviewer.com/din.aspx?s=00000000&id=0&client=DynGate&rnd=142693444&p=10000001
request	GET http://master16.teamviewer.com/dout.aspx?s=59766239&p=10000001&client=DynGate&data=FyQSkwCjHqkys5MkoZ6bHJmbmxubnJMkoh6YEyY3s7O0tzOemJMmoKGemDwcmjIymRucMZmZG5ovmLGwmBoZmLMyHDCxGLIxr5kYHBsbG5qbGRyTJqSiHpg8HJoyMpkbnDGZmRuaL5ixsJgaGZizMhwwsRiyMa+ZGBwbGxuamxkckyepnqu0txuTKx6bFxgXHJyaG5AoqaE=
request	GET http://master16.teamviewer.com/din.aspx?s=59766239&id=0&client=DynGate&p=10000002

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 5, 2024, 9:26 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 9:26 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 5, 2024, 9:26 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x035a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 5, 2024, 9:26 a.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Roaming\Opera\Opera\operaprefs.ini

Creates executable files on the filesystem (30 events)

file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_es.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_sv.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_pt.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\tv_x64.exe
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_it.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\tv_w32.exe
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\tv_x64.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_ar.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_tr.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Desktop.exe
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_da.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\tv_w32.dll
file	C:\Users\test22\AppData\Local\Temp\nsxEF63.tmp\TvGetVersion.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_fr.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_de.dll
file	C:\Users\test22\AppData\Local\Temp\nsxEF63.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_ko.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_cs.dll
file	C:\Users\test22\AppData\Local\Temp\nsxEF63.tmp\nsis7z.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_en.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_ru.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Service.exe
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_fi.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_pl.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_ja.dll
file	C:\Users\test22\AppData\Local\Temp\nsxEF63.tmp\ReadCustomerData.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_no.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_zh.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer.exe
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_nl.dll

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer.exe

Drops an executable to the user AppData folder (28 events)

file	C:\Users\test22\AppData\Local\Temp\nsxEF63.tmp\nsis7z.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_ko.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_ar.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_nl.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_pl.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer.exe
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_zh.dll
file	C:\Users\test22\AppData\Local\Temp\nsxEF63.tmp\System.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_fi.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_fr.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_tr.dll
file	C:\Users\test22\AppData\Local\Temp\nsxEF63.tmp\ReadCustomerData.dll
file	C:\Users\test22\AppData\Local\Temp\nsxEF63.tmp\TvGetVersion.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_ru.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_de.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_sv.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_cs.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_da.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_en.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\tv_w32.exe
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Desktop.exe
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_ja.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_it.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_no.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_pt.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\tv_w32.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Resource_es.dll
file	C:\Users\test22\AppData\Local\Temp\TeamViewer\Version6\TeamViewer_Service.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 5, 2024, 9:26 a.m.	flags: 15 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00004600', u'virtual_address': u'0x00031000', u'entropy': 7.838627115962658, u'name': u'UPX1', u'virtual_size': u'0x00005000'}

entropy

7.83862711596

description

A section with a high entropy has been found

entropy

0.421686746988

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 5, 2024, 9:26 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Creates known TeamViewer mutexes and/or registry changes. (3 events)

mutex	TeamViewer_Win32_Instance_Mutex
regkey	HKEY_LOCAL_MACHINE\Software\TeamViewer\Version6\DefaultSettings\
regkey	HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer3

qs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All