Analysis
-
max time kernel
16s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 17:38
Static task
static1
Behavioral task
behavioral1
Sample
remote (2).exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
remote (2).exe
-
Size
7.1MB
-
MD5
29019ced86eb160aa754828649703769
-
SHA1
b1689f923228f42da1f9eff5709d797153fb81c1
-
SHA256
575cd45bc66b57679f2b565270c84c957bf68a8ab84833845a038aad87b7bfb0
-
SHA512
8dcff0d47180c38a0781d7fd8a01073bcaad3edf2c69654a15e9c8a8d2873071ae5bea5261e58ca2650f775243978f01e2a8d62e84319f2f88422de7d033a247
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
remote (2).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation remote (2).exe -
Processes:
remote (2).exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA remote (2).exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ipinfo.io -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
remote (2).exedescription pid process Token: SeIncreaseQuotaPrivilege 640 remote (2).exe Token: SeSecurityPrivilege 640 remote (2).exe Token: SeTakeOwnershipPrivilege 640 remote (2).exe Token: SeLoadDriverPrivilege 640 remote (2).exe Token: SeSystemProfilePrivilege 640 remote (2).exe Token: SeSystemtimePrivilege 640 remote (2).exe Token: SeProfSingleProcessPrivilege 640 remote (2).exe Token: SeIncBasePriorityPrivilege 640 remote (2).exe Token: SeCreatePagefilePrivilege 640 remote (2).exe Token: SeBackupPrivilege 640 remote (2).exe Token: SeRestorePrivilege 640 remote (2).exe Token: SeShutdownPrivilege 640 remote (2).exe Token: SeDebugPrivilege 640 remote (2).exe Token: SeSystemEnvironmentPrivilege 640 remote (2).exe Token: SeRemoteShutdownPrivilege 640 remote (2).exe Token: SeUndockPrivilege 640 remote (2).exe Token: SeManageVolumePrivilege 640 remote (2).exe Token: 33 640 remote (2).exe Token: 34 640 remote (2).exe Token: 35 640 remote (2).exe Token: 36 640 remote (2).exe Token: SeIncreaseQuotaPrivilege 640 remote (2).exe Token: SeSecurityPrivilege 640 remote (2).exe Token: SeTakeOwnershipPrivilege 640 remote (2).exe Token: SeLoadDriverPrivilege 640 remote (2).exe Token: SeSystemProfilePrivilege 640 remote (2).exe Token: SeSystemtimePrivilege 640 remote (2).exe Token: SeProfSingleProcessPrivilege 640 remote (2).exe Token: SeIncBasePriorityPrivilege 640 remote (2).exe Token: SeCreatePagefilePrivilege 640 remote (2).exe Token: SeBackupPrivilege 640 remote (2).exe Token: SeRestorePrivilege 640 remote (2).exe Token: SeShutdownPrivilege 640 remote (2).exe Token: SeDebugPrivilege 640 remote (2).exe Token: SeSystemEnvironmentPrivilege 640 remote (2).exe Token: SeRemoteShutdownPrivilege 640 remote (2).exe Token: SeUndockPrivilege 640 remote (2).exe Token: SeManageVolumePrivilege 640 remote (2).exe Token: 33 640 remote (2).exe Token: 34 640 remote (2).exe Token: 35 640 remote (2).exe Token: 36 640 remote (2).exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
remote (2).exepid process 640 remote (2).exe 640 remote (2).exe 640 remote (2).exe 640 remote (2).exe 640 remote (2).exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
remote (2).exepid process 640 remote (2).exe 640 remote (2).exe 640 remote (2).exe 640 remote (2).exe 640 remote (2).exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remote (2).exepid process 640 remote (2).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\remote (2).exe"C:\Users\Admin\AppData\Local\Temp\remote (2).exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx