Loading ...

Play interactive tourEdit tour

Windows Analysis Report TV.bin

Overview

General Information

Sample Name:TV.bin (renamed file extension from bin to dll)
Analysis ID:483792
MD5:a44f2649c82b35d42e6036d1c75e48c4
SHA1:ee3b00701c97ed107b78ecbdf9d962f1508edc8e
SHA256:760945429f7ea52c40c75a0fa0424d943e317ec48575c812545cc2c4be5b0510
Tags:dllHartexLLCsignedsoldewornek
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Uses 32bit PE files
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to record screenshots
Contains functionality to delete services
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6240 cmdline: loaddll32.exe 'C:\Users\user\Desktop\TV.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6276 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6324 cmdline: rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6308 cmdline: rundll32.exe C:\Users\user\Desktop\TV.dll,SvcEntry MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6476 cmdline: rundll32.exe 'C:\Users\user\Desktop\TV.dll',SvcEntry MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: TV.dllVirustotal: Detection: 32%Perma Link
Source: TV.dllReversingLabs: Detection: 26%
Source: TV.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: TV.dllStatic PE information: certificate valid
Source: TV.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: rundll32.exe, 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.255852074.000000006ECAD000.00000002.00020000.sdmp, TV.dll
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA28B0 RtlZeroMemory,RtlZeroMemory,IsWindowEnabled,wsprintfA,IsWindowEnabled,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,3_2_6ECA28B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,3_2_6ECA2DF0
Source: TV.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: TV.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: TV.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: TV.dllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: TV.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: TV.dllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: TV.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: TV.dllString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: TV.dllString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: TV.dllString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: TV.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: TV.dllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: TV.dllString found in binary or memory: http://ocsp.comodoca.com0
Source: TV.dllString found in binary or memory: http://ocsp.digicert.com0C
Source: TV.dllString found in binary or memory: http://ocsp.digicert.com0O
Source: TV.dllString found in binary or memory: http://ocsp.sectigo.com0
Source: TV.dllString found in binary or memory: http://www.digicert.com/CPS0
Source: TV.dllString found in binary or memory: https://sectigo.com/CPS0
Source: TV.dllString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA5A00 InternetOpenA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,3_2_6ECA5A00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA66E0 GetDesktopWindow,GetDC,CreateCompatibleDC,RtlZeroMemory,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,RtlZeroMemory,GetCursorInfo,RtlZeroMemory,GetIconInfo,RtlZeroMemory,GetObjectA,DrawIconEx,SHCreateMemStream,RtlZeroMemory,VirtualAlloc,RtlZeroMemory,VirtualFree,DeleteObject,DeleteDC,ReleaseDC,3_2_6ECA66E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA9BD0 GetCurrentThreadId,GetThreadDesktop,CreateDesktopA,CreateThread,WaitForSingleObject,CloseHandle,Sleep,CloseDesktop,3_2_6ECA9BD0
Source: TV.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,IsWindowEnabled,IsWindowEnabled,wsprintfA,IsWindowEnabled,IsWindowEnabled,wsprintfA,GetFileAttributesA,IsWindowEnabled,IsWindowEnabled,DeleteFileA,IsWindowEnabled,IsWindowEnabled,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,IsWindowEnabled,IsWindowEnabled,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,IsWindowEnabled,IsWindowEnabled,wsprintfA,IsWindowEnabled,IsWindowEnabled,IsWindowEnabled,IsWindowEnabled,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_6ECA5B40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA3610 GetProcessHeap,CreateEnvironmentBlock,RtlZeroMemory,RtlZeroMemory,CreateProcessAsUserW,CreateProcessAsUserW,Sleep,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,3_2_6ECA3610
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,RtlMoveMemory,IsWindowEnabled,IsWindowEnabled,PathRemoveFileSpecA,IsWindowEnabled,IsWindowEnabled,PathAddBackslashA,IsWindowEnabled,IsWindowEnabled,SetCurrentDirectoryA,IsWindowEnabled,IsWindowEnabled,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,IsWindowEnabled,IsWindowEnabled,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,wsprintfA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,IsWindowEnabled,IsWindowEnabled,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,3_2_6ECA8510
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAB2D0 RtlMoveMemory,NtFlushInstructionCache,3_2_6ECAB2D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA2ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,3_2_6ECA2ED0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA18D0 NtProtectVirtualMemory,3_2_6ECA18D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA14E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,3_2_6ECA14E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA4EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,3_2_6ECA4EF0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,3_2_6ECAB0A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA2640 RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,3_2_6ECA2640
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAB270 NtResumeThread,NtClose,HeapFree,3_2_6ECAB270
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA8400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,3_2_6ECA8400
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA1C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,3_2_6ECA1C00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAAE20 NtOpenThread,3_2_6ECAAE20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAAFC0 NtGetContextThread,NtSetContextThread,3_2_6ECAAFC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAADE0 NtProtectVirtualMemory,3_2_6ECAADE0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA19F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,3_2_6ECA19F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAB1F0 NtSuspendThread,NtClose,3_2_6ECAB1F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA7790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,3_2_6ECA7790
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA23B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,3_2_6ECA23B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA2750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,3_2_6ECA2750
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,3_2_6ECA6D50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAA500 NtQueryVirtualMemory,3_2_6ECAA500
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAAD39 NtProtectVirtualMemory,3_2_6ECAAD39
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA3700 OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,3_2_6ECA3700
Source: TV.dllVirustotal: Detection: 32%
Source: TV.dllReversingLabs: Detection: 26%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA96D0 SwitchDesktop,SetThreadDesktop,LoadLibraryA,GetProcessHeap,HeapAlloc,GetProcessHeap,RtlZeroMemory,GetSystemDirectoryA,PathAddBackslashA,lstrcatA,LoadLibraryExA,LoadStringW,LoadStringW,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,wsprintfW,FormatMessageW,FreeLibrary,wsprintfW,GetLastError,GetProcessHeap,HeapAlloc,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,WritePrivateProfileStringW,CoTaskMemFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,Sleep,SwitchDesktop,SetThreadDesktop,Sleep,3_2_6ECA96D0
Source: TV.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA3C60 OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,3_2_6ECA3C60
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TV.dll,SvcEntry
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\TV.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TV.dll,SvcEntry
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',SvcEntry
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TV.dll,SvcEntryJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',SvcEntryJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,IsWindowEnabled,IsWindowEnabled,wsprintfA,IsWindowEnabled,IsWindowEnabled,wsprintfA,GetFileAttributesA,IsWindowEnabled,IsWindowEnabled,DeleteFileA,IsWindowEnabled,IsWindowEnabled,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,IsWindowEnabled,IsWindowEnabled,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,IsWindowEnabled,IsWindowEnabled,wsprintfA,IsWindowEnabled,IsWindowEnabled,IsWindowEnabled,IsWindowEnabled,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_6ECA5B40
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA4E50 FindResourceW,LoadResource,SizeofResource,LockResource,GetProcessHeap,HeapAlloc,RtlMoveMemory,FreeResource,3_2_6ECA4E50
Source: classification engineClassification label: mal48.winDLL@9/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA6480 CoInitializeEx,CoCreateInstance,RtlZeroMemory,VariantInit,CoUninitialize,3_2_6ECA6480
Source: C:\Windows\SysWOW64\rundll32.exeCode function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,3_2_6ECA3C60
Source: TV.dllStatic PE information: certificate valid
Source: TV.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: TV.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: rundll32.exe, 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.255852074.000000006ECAD000.00000002.00020000.sdmp, TV.dll
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAC101 push ecx; ret 3_2_6ECAC114
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA44D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,IsWindowEnabled,wsprintfA,IsWindowEnabled,wsprintfA,IsWindowEnabled,IsWindowEnabled,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,3_2_6ECA44D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA37D0 QueryServiceConfigA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,ChangeServiceConfigA,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceA,3_2_6ECA37D0
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,3_2_6ECAB0A0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA28B0 RtlZeroMemory,RtlZeroMemory,IsWindowEnabled,wsprintfA,IsWindowEnabled,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,3_2_6ECA28B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,3_2_6ECA2DF0
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,3_2_6ECAB0A0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA3B60 SvcEntry,IsWindowEnabled,SetCurrentDirectoryA,RegisterServiceCtrlHandlerExW,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,SetServiceStatus,SetServiceStatus,ExitProcess,3_2_6ECA3B60
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECAC1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6ECAC1E2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA5130 LogonUserW,GetLastError,CloseHandle,3_2_6ECA5130
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA3220 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,3_2_6ECA3220
Source: C:\Windows\SysWOW64\rundll32.exeCode function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,3_2_6ECA6D50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,RtlMoveMemory,IsWindowEnabled,IsWindowEnabled,PathRemoveFileSpecA,IsWindowEnabled,IsWindowEnabled,PathAddBackslashA,IsWindowEnabled,IsWindowEnabled,SetCurrentDirectoryA,IsWindowEnabled,IsWindowEnabled,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,IsWindowEnabled,IsWindowEnabled,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,wsprintfA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,IsWindowEnabled,IsWindowEnabled,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,3_2_6ECA8510
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,3_2_6ECA6D50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6ECA8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,RtlMoveMemory,IsWindowEnabled,IsWindowEnabled,PathRemoveFileSpecA,IsWindowEnabled,IsWindowEnabled,PathAddBackslashA,IsWindowEnabled,IsWindowEnabled,SetCurrentDirectoryA,IsWindowEnabled,IsWindowEnabled,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,IsWindowEnabled,IsWindowEnabled,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,wsprintfA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,IsWindowEnabled,IsWindowEnabled,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,3_2_6ECA8510

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2Service Execution12Create Account1Valid Accounts2Valid Accounts2OS Credential DumpingSystem Time Discovery1Remote ServicesScreen Capture1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobValid Accounts2Access Token Manipulation21Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Windows Service12Windows Service12Access Token Manipulation21Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Process Injection11Process Injection11NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonRundll321Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483792 Sample: TV.bin Startdate: 15/09/2021 Architecture: WINDOWS Score: 48 17 Multi AV Scanner detection for submitted file 2->17 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        process5 15 rundll32.exe 9->15         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.