Edit tour
Windows
Analysis Report
Teams.exe
Overview
General Information
| Sample name: | Teams.exe |
| Analysis ID: | 1462647 |
| MD5: | bc40d343632f54712a794d8b699925a9 |
| SHA1: | 103e982c4767c799894152e0a58a59d55971052c |
| SHA256: | 0bb16506d1f5c422644435a7dafd379c96f136f4e68703a45266066694ede59e |
| Infos: |   |
 | |
Detection
NetSupport RAT
| Score: | 51 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 33 |
| Range: | 0 - 100 |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Contain functionality to detect virtual machines
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Classification
- System is w10x64
Teams.exe (PID: 6036 cmdline: "C:\Users\ user\Deskt op\Teams.e xe" MD5: BC40D343632F54712A794D8B699925A9) 
schtasks.exe (PID: 5296 cmdline: "C:\Window s\system32 \schtasks. exe" /crea te /sc ONL OGON /tn " CSCOClient " /tr "C:\ Users\user \AppData\R oaming\CSC OClient\cl ient32.exe " /RL HIGH EST MD5: 48C2FE20575769DE916F48EF0676A965) 
conhost.exe (PID: 7128 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
client32.exe (PID: 5244 cmdline: C:\Users\u ser\AppDat a\Roaming\ CSCOClient \client32. exe MD5: 9497AECE91E1CCC495CA26AE284600B9) - MSTeamsSetup_c_l_.exe (PID: 5232 cmdline:
C:\Program Data\MSTea msSetup_c_ l_.exe MD5: CF0E0F57B68A11D099EC944200A6069D)
- MSTeamsSetup_c_l_.exe (PID: 2820 cmdline:
"C:\Progra mData\MSTe amsSetup_c _l_.exe" - -rerunning WithoutUAC MD5: CF0E0F57B68A11D099EC944200A6069D) - Update.exe (PID: 3620 cmdline:
"C:\Users\ user\AppDa ta\Local\S quirrelTem p\Update.e xe" --inst all . --re runningWit houtUAC -- exeName=MS TeamsSetup _c_l_.exe --bootstra pperMode MD5: 8F0E958D7EF57D727ADCDA1C67C24C2B) - Squirrel.exe (PID: 6688 cmdline:
"C:\Users\ user\AppDa ta\Local\M icrosoft\T eams\curre nt\Squirre l.exe" --u pdateSelf= C:\Users\u ser\AppDat a\Local\Sq uirrelTemp \Update.ex e MD5: 17927E3240D3B0212A4B93C1D45F92B0) 
Teams.exe (PID: 4444 cmdline: "C:\Users\ user\AppDa ta\Local\M icrosoft\T eams\curre nt\Teams.e xe" --squi rrel-insta ll 1.7.00. 15969 MD5: E20A8E5630CFCAD496816E211D212EAC) - Teams.exe (PID: 3812 cmdline:
"C:\Users\ user\AppDa ta\Local\M icrosoft\T eams\curre nt\Teams.e xe" --squi rrel-first run MD5: E20A8E5630CFCAD496816E211D212EAC) - Teams.exe (PID: 2316 cmdline:
"C:\Users\ user\AppDa ta\Local\M icrosoft\T eams\curre nt\Teams.e xe" --type =gpu-proce ss --user- data-dir=" C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Teams" --g pu-prefere nces=UAAAA AAAAADgAAA YAAAAAAAAA AAAAAAAAAB gAAAAAAAwA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA EgAAAAAAAA ASAAAAAAAA AAYAAAAAgA AABAAAAAAA AAAGAAAAAA AAAAQAAAAA AAAAAAAAAA OAAAAEAAAA AAAAAABAAA ADgAAAAgAA AAAAAAACAA AAAAAAAA= --mojo-pla tform-chan nel-handle =1724 --fi eld-trial- handle=188 0,i,272260 8120260481 919,672615 0612852570 996,131072 --disable -features= SpareRende rerForSite PerProcess ,WinRetrie veSuggesti onsOnlyOnD emand /pre fetch:2 MD5: E20A8E5630CFCAD496816E211D212EAC) - Teams.exe (PID: 5136 cmdline:
"C:\Users\ user\AppDa ta\Local\M icrosoft\T eams\curre nt\Teams.e xe" --type =utility - -utility-s ub-type=ne twork.mojo m.NetworkS ervice --l ang=en-GB --service- sandbox-ty pe=none -- user-data- dir="C:\Us ers\user\A ppData\Roa ming\Micro soft\Teams " --mojo-p latform-ch annel-hand le=2144 -- field-tria l-handle=1 880,i,2722 6081202604 81919,6726 1506128525 70996,1310 72 --disab le-feature s=SpareRen dererForSi tePerProce ss,WinRetr ieveSugges tionsOnlyO nDemand /p refetch:8 MD5: E20A8E5630CFCAD496816E211D212EAC) - regsvr32.exe (PID: 5248 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s /n /i:user " C:\Users\u ser\AppDat a\Local\Mi crosoft\Te amsMeeting Addin\1.0. 24151.1\x6 4\Microsof t.Teams.Ad dinLoader. dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 6388 cmdline:
/s /n /i: user "C:\U sers\user\ AppData\Lo cal\Micros oft\TeamsM eetingAddi n\1.0.2415 1.1\x64\Mi crosoft.Te ams.AddinL oader.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E) - regsvr32.exe (PID: 5456 cmdline:
"C:\Window s\SysWOW64 \regsvr32. exe" /s /n /i:user " C:\Users\u ser\AppDat a\Local\Mi crosoft\Te amsMeeting Addin\1.0. 24151.1\x8 6\Microsof t.Teams.Ad dinLoader. dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
- client32.exe (PID: 1272 cmdline:
C:\Users\u ser\AppDat a\Roaming\ CSCOClient \client32. exe MD5: 9497AECE91E1CCC495CA26AE284600B9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 5 entries | ||||
| Source: | Author: Florian Roth (Nextron Systems): | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | ReversingLabs: | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
Compliance | |
|---|
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 5_2_0007C0A5 | |
| Source: | Code function: | 5_2_00056982 | |
| Source: | Code function: | 7_2_1110C060 | |
| Source: | Code function: | 7_2_1102D212 | |
| Source: | Code function: | 7_2_1102D516 | |
| Source: | Code function: | 7_2_11123B60 | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Code function: | 5_2_0005136F | |
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | Code function: | 5_2_0005136F | |
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||