DefaultRemoteOffice_Agent.exe
This report is generated from a file or URL submitted to this webservice on October 27th 2022 22:40:13 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v9.4.1 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
- Writes data to a remote process
- Fingerprint
-
Contains ability to retrieve information about the current system
Queries kernel debugger information
Queries process information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Contains ability to adjust token privileges
Contains ability to check if a debugger is running
Contains ability to detect virtual environment (API)
Input file contains API references not part of its Import Address Table (IAT)
Marks file for deletion
Possibly tries to implement anti-virtualization techniques
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
Installation/Persistence
-
Allocates virtual memory in a remote process
- details
- "DefaultRemoteOffice_Agent.exe" allocated memory in "C:\DefaultRemoteOffice_Agent.exe"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055.012 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"DefaultRemoteOffice_Agent.exe" wrote 1500 bytes to a remote process "%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\DefaultRemoteOffice_Agent.exe" (Handle: 296)
"DefaultRemoteOffice_Agent.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{300931DF-0621-4267-83D4-21548C1A237B}\DefaultRemoteOffice_Agent.exe" (Handle: 296)
"DefaultRemoteOffice_Agent.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{300931DF-0621-4267-83D4-21548C1A237B}\DefaultRemoteOffice_Agent.exe" (Handle: 296)
"DefaultRemoteOffice_Agent.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{300931DF-0621-4267-83D4-21548C1A237B}\DefaultRemoteOffice_Agent.exe" (Handle: 296)
"cmd.exe" wrote 1500 bytes to a remote process "C:\Windows\Temp\agentInstallerComponent.exe" (Handle: 148)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\Temp\agentInstallerComponent.exe" (Handle: 148)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\Temp\agentInstallerComponent.exe" (Handle: 148)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\Temp\agentInstallerComponent.exe" (Handle: 148) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Spyware/Information Retrieval
-
Contains ability to capture the screen
- details
-
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
CreateCompatibleDC@GDI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
CreateCompatibleDC@GDI32.dll (Show Stream)
CreateCompatibleDC@GDI32.dll (Show Stream)
CreateCompatibleDC@GDI32.dll (Show Stream)
CreateCompatibleDC@GDI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1113 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to capture the screen
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
ExitWindowsEx@USER32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1529 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 47
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .text with unusual entropies 7.98380314921
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1027.002 (Show technique in the MITRE ATT&CK™ matrix)
-
PE file has unusual entropy sections
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "00000000-00003924.00000002.73153.00AFD000.00000002.mdmp")
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1486 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"_GetVirtualMachineType" (Indicator: "virtualmachine")
"_IsVirtualMachine" (Indicator: "virtualmachine") - source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
FindResourceExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadResource@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
FindResourceW@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
LoadResource@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
FindResourceExW@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"DefaultRemoteOffice_Agent.exe" read file "%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\setup.ini"
"DefaultRemoteOffice_Agent.exe" read file "%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\setup.ini"
"DefaultRemoteOffice_Agent.exe" read file "%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\0x0409.ini"
"DefaultRemoteOffice_Agent.exe" read file "%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistence
-
Drops executable files
- details
-
"AGENTINSTALLERCOMPONENT.EXE.635B09A7.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"- [targetUID: N/A]
"DefaultRemoteOffice_Agent.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"- Location: [C:\DefaultRemoteOffice_Agent.exe]- [targetUID: 00000000-00003924]
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\setup.exe]- [targetUID: 00000000-00002852]
"ISSetup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\ISSetup.dll]- [targetUID: 00000000-00002852]
"dot3456.tmp" has type "PE32 executable (console) Intel 80386 Mono/.Net assembly for MS Windows"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\dot3456.tmp]- [targetUID: 00000000-00003160]
"isr34B7.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\isr34B7.tmp]- [targetUID: 00000000-00003160]
"_is3546.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3546.tmp]- [targetUID: 00000000-00003160]
"_is3631.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3631.tmp]- [targetUID: 00000000-00003160] - source
- Binary File
- relevance
- 10/10
-
Writes a PE file header to disc
- details
-
"DefaultRemoteOffice_Agent.exe" wrote 23768 bytes starting with PE header signature to file "%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\dot3456.tmp": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"DefaultRemoteOffice_Agent.exe" wrote 32766 bytes starting with PE header signature to file "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\isr34B7.tmp": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000180100000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"DefaultRemoteOffice_Agent.exe" wrote 32766 bytes starting with PE header signature to file "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3546.tmp": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"DefaultRemoteOffice_Agent.exe" wrote 32766 bytes starting with PE header signature to file "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3631.tmp": 4d5aff000300000004000000ffff0000ff00000000000000400000000000000000000000000000000000000000000000000000000000000000000000ff0000000e1fff0e00ff09ff21ff014cff21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ... - source
- API Call
- relevance
- 10/10
-
Drops executable files
-
Ransomware/Banking
-
Contains ability to update the user profile
- details
-
SystemParametersInfoW@USER32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
SystemParametersInfoW@USER32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
SystemParametersInfoW@USER32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to update the user profile
-
Spyware/Information Retrieval
-
Calls an API typically used for keylogging
- details
- "agentInstallerComponent.exe" called "GetKeyState"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1056.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API typically used for taking snapshot of the specified processes
- details
-
"cmd.exe" called "CreateToolhelp32Snapshot" (UID: 00000000-00003640)
"agentInstallerComponent.exe" called "CreateToolhelp32Snapshot" (UID: 00000000-00003924) - source
- API Call
- relevance
- 5/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API typically used to retrieve information about the current system
- details
-
"DefaultRemoteOffice_Agent.exe" called "GetNativeSystemInfo" (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "GetNativeSystemInfo" (UID: 00000000-00003160) - source
- API Call
- relevance
- 5/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API's typically used for searching a directory for a files
- details
-
"DefaultRemoteOffice_Agent.exe" called "FindFirstFileW" (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "FindNextFileW" (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "FindFirstFileW" (UID: 00000000-00003160)
"DefaultRemoteOffice_Agent.exe" called "FindNextFileW" (UID: 00000000-00003160) - source
- API Call
- relevance
- 5/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieve the command-line string for the current process
- details
-
GetCommandLineW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetCommandLineW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetCommandLineW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetCommandLineW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetCommandLineW@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
GetCommandLineW@KERNEL32.dll (Show Stream)
GetCommandLineW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1106 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to access non-existent files
- details
-
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\DefaultRemoteOffice_Agent.exe.Local\"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\FLTLIB.DLL"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\Windows\system32\api-ms-win-core-fibers-l1-1-1.DLL"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\Windows\system32\api-ms-win-core-localization-l1-2-1.DLL"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\setup.ini"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\DEFAULTREMOTEOFFICE_AGENT.EXE.LOCAL"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\Windows\System32\API-MS-WIN-CORE-FIBERS-L1-1-1.DLL"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\Windows\System32\API-MS-WIN-CORE-LOCALIZATION-L1-2-1.DLL"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\Users\%USERNAME%\AppData\Local\Temp\{300931DF-0621-4267-83D4-21548C1A237B}\SETUP.INI"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\Users\%USERNAME%\AppData\Local\Temp\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\"
"DefaultRemoteOffice_Agent.exe" trying to access non-existent file "C:\Users\%USERNAME%\AppData\Local\Temp\{300931DF-0621-4267-83D4-21548C1A237B}\DefaultRemoteOffice_Agent.exe" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API typically used for keylogging
-
System Destruction
-
Marks file for deletion
- details
-
"DefaultRemoteOffice_Agent.exe" marked "%TEMP%\328B.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\set3396.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\Ins33E5.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\cor3436.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\dot3477.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\Str3497.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\isr34B7.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\def3535.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3546.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3631.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Windows\Temp\age4AC4.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Windows\Temp\UEM7159.tmp" for deletion
"DefaultRemoteOffice_Agent.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\dot3456.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1070.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"DefaultRemoteOffice_Agent.exe" opened "%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\setup.exe" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\Install.bat" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\FontData.ini" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\corecomp.ini" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\dotnetinstaller.exe" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\dotnetinstaller.exe.config" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\StringTable_0x0409.ips" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_isuser_0x0409.dll" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_isres_0x0409.dll" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Windows\Temp\agentInstallerComponent.exe" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Windows\Temp\UEMSAgent.msi" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Windows\Temp\UEMSAgent.mst" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\328B.tmp" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\INSTALL.BAT" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\Fon3405.tmp" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\FONTDATA.INI" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\CORECOMP.INI" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\DOTNETINSTALLER.EXE" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\DOTNETINSTALLER.EXE.CONFIG" with delete access
"DefaultRemoteOffice_Agent.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\def3535.tmp" with delete access - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1070.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Marks file for deletion
-
System Security
-
Contains ability to adjust token privileges
- details
-
LookupPrivilegeValueW@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LookupPrivilegeValueW@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1134.003 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to elevate privileges
- details
-
SetEntriesInAclW@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
SetEntriesInAclW@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
SetEntriesInAclW@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
SetEntriesInAclW@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to obtains specified information about the security of a file or directory
- details
-
SetSecurityDescriptorOwner@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
InitializeSecurityDescriptor@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
FreeSid@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
FreeSid@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
InitializeSecurityDescriptor@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
SetSecurityDescriptorOwner@ADVAPI32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1134.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to obtain the highest possible privilege level without UAC dialog
- details
-
"<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" />
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="highestAvailable" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{8e0f7a" (Indicator: "requestedExecutionLevel level="highestAvailable""), "<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD" (Indicator: "requestedExecutionLevel level="highestAvailable"") - source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1548.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to adjust token privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"DefaultRemoteOffice_Agent.exe" claimed CRC 0 while the actual is CRC 265223
"dot3456.tmp" claimed CRC 87293 while the actual is CRC 1676431
"isr34B7.tmp" claimed CRC 436069 while the actual is CRC 87293
"_is3631.tmp" claimed CRC 1865925 while the actual is CRC 1095947 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
- "isr34B7.tmp" has an entrypoint in section ".rsrc"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetModuleFileNameW
GetVersionExW
GetModuleFileNameA
GetSystemDirectoryA
LockResource
GetCommandLineW
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
GetProcAddress
WriteFile
LoadLibraryW
FindResourceExW
GetModuleHandleW
IsDebuggerPresent
CreateProcessA
FindResourceW
CreateFileW
Sleep
GetTickCount
CreateFileA
RegCreateKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
RegOpenKeyW
RegEnumKeyExW
RegDeleteValueW
GetFileAttributesW
GetThreadContext
CopyFileW
OutputDebugStringW
LoadLibraryExA
LoadLibraryExW
CreateThread
GetSystemDirectoryW
GetModuleHandleExW
LoadLibraryA
ExitThread
GetFileSize
WriteProcessMemory
OpenProcess
CreateDirectoryW
DeleteFileW
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
FindNextFileW
FindFirstFileW
GetSystemInfo
MapViewOfFile
GetTempPathW
CreateProcessW
ShellExecuteExW
FindWindowExW
WinExec
GetCommandLineA
VirtualAlloc
GetVersionExA
GetModuleHandleA
GetStartupInfoA
OutputDebugStringA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "ZH-CN")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "CS")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "CS")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "CS-CZ")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "DA")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "DA")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "DA-DK")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "DE")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "DE")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "DE-DE")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "DE-DE")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "ES")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "ES") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 22 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 62
-
Anti-Detection/Stealthyness
-
Calls an API typically used to remove a directory
- details
-
"DefaultRemoteOffice_Agent.exe" called "RemoveDirectoryW" with parameter %TEMP%\{0059A837-6F91-4D38-AE29-1439657DA5D5} (UID: 00000000-00003160)
"DefaultRemoteOffice_Agent.exe" called "RemoveDirectoryW" with parameter %TEMP%\{62038814-359B-494C-9DE1-23EA85750A4B} (UID: 00000000-00003160) - source
- API Call
- relevance
- 3/10
- ATT&CK ID
- T1070.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to write data into process memory (API string)
- details
- Observed api string:"WriteProcessMemory" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1055.012 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API typically used to remove a directory
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to enumerate files inside a directory
- details
-
FindFirstFileW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
FindFirstFileW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
FindFirstFileW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
FindFirstFileW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
FindFirstFileW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
FindFirstFileW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
FindFirstFileW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query local/system time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
FileTimeToLocalFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
FileTimeToLocalFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
FileTimeToLocalFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetLocalTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetLocalTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersion@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetVersion@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetVersionExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the system locale
- details
-
GetLocaleInfoW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetLocaleInfoW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetLocaleInfoA@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
GetLocaleInfoW@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
GetLocaleInfoW@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
GetLocaleInfoA@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
GetLocaleInfoW@KERNEL32.dll (Show Stream)
GetLocaleInfoW@KERNEL32.dll (Show Stream)
GetLocaleInfoA@KERNEL32.dll (Show Stream)
GetLocaleInfoA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read software policies
- details
-
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "AUTHENTICODEENABLED")
"cmd.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"cmd.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "AUTHENTICODEENABLED")
"agentInstallerComponent.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED") - source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieve system language
- details
-
GetSystemDefaultUILanguage@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetSystemDefaultUILanguage@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Found API call GetDiskFreeSpaceExW@KERNEL32.DLL directly followed by "cmp word ptr [ebp-0000020Ch], di" and "push ecx" from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000108h], 01h" and "jne 00D854D5h" from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jbe 00D80F5Ah" from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000108h], 01h" and "jne 011854D5h" from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Found API call GetDiskFreeSpaceExW@KERNEL32.DLL directly followed by "cmp word ptr [ebp-0000020Ch], di" and "push ecx" from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jbe 01180F5Ah" from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetProcessHeap@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
GetProcessHeap@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
GetProcessHeap@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\7-ZIP"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE SHOCKWAVE PLAYER"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\HAANSOFT HOFFICE 80 KOREAN"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX"; Key: "PRODUCTGUID")
"DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA"; Key: "PRODUCTGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1518 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to identify Internet Explorer version from registry
- details
- "DefaultRemoteOffice_Agent.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER"; Key: "VERSION"; Value: "")
- source
- Registry Access
- relevance
- 3/10
-
Contains ability to enumerate files inside a directory
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/72 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Calls an API typically used to create a directory
- details
-
"DefaultRemoteOffice_Agent.exe" called "CreateDirectoryW" with parameter %TEMP%\{300931DF-0621-4267-83D4-21548C1A237B} (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "CreateDirectoryW" with parameter C:\Users\%USERNAME%\ (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "CreateDirectoryW" with parameter C:\Users\%USERNAME%\AppData\ (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "CreateDirectoryW" with parameter C:\Users\%USERNAME%\AppData\Local\ (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "CreateDirectoryW" with parameter C:\Users\%USERNAME%\AppData\Local\Temp\ (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "CreateDirectoryW" with parameter C:\Users\%USERNAME%\AppData\Local\Temp\{300931DF-0621-4267-83D4-21548C1A237B}\ (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "CreateDirectoryW" (UID: 00000000-00002852)
"DefaultRemoteOffice_Agent.exe" called "CreateDirectoryW" with parameter C:\Users\ (UID: 00000000-00002852) - source
- API Call
- relevance
- 3/10
-
Calls an API typically used to create a process
- details
- "DefaultRemoteOffice_Agent.exe" called "CreateProcessW" with parameter "%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\DefaultRemoteOffice_Agent.exe -package:"C:\DefaultRemo" - (UID: 00000000-00002852), "DefaultRemoteOffice_Agent.exe" called "CreateProcessA" with parameter "%WINDIR%\system32\cmd.exe /C %WINDIR%\Temp\agentInstallerComponent.exe "C:\DefaultRemoteOffice_Agent.exe" 3 > %WINDIR%\Temp\DesktopCentralAgent.txt 2>&1 " - (UID: 00000000-00003160)
- source
- API Call
- relevance
- 5/10
- ATT&CK ID
- T1106 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains PDB pathways
- details
-
"C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb"
"d:\Webhost\03-10-2022\WindowsBuilds\DC_NATIVE\5484463\desktopcentral\CLOUD_PRODUCTION\SA_SRC\native\agent\Release\agentInstallerComponent.pdb" - source
- File/Memory
- relevance
- 1/10
-
Contains ability to delay the execution of current thread
- details
-
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
Sleep@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to dynamically load libraries
- details
-
LoadLibraryExA@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadLibraryA@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadLibraryExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 2852) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadLibraryExW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadLibraryA@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadLibraryW@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadLibraryExA@KERNEL32.DLL from DefaultRemoteOffice_Agent.exe (PID: 3160) (Show Stream)
LoadLibraryW@KERNEL32.DLL from agentInstallerComponent.exe (PID: 3924) (Show Stream)
LoadLibraryA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1106 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains export functions
- details
-
"ISSetup.dll" contains export function called "DllCanUnloadNow" at ordinal 1
"ISSetup.dll" contains export function called "DllGetClassObject" at ordinal 2
"ISSetup.dll" contains export function called "DllRegisterServer" at ordinal 3
"ISSetup.dll" contains export function called "DllUnregisterServer" at ordinal 4
"ISSetup.dll" contains export function called "GetProductSKU" at ordinal 5
"ISSetup.dll" contains export function called "GetScriptEngine" at ordinal 6
"ISSetup.dll" contains export function called "InstallEngineTypelib" at ordinal 7
"ISSetup.dll" contains export function called "RemoveEngineTypelib" at ordinal 8
"ISSetup.dll" contains export function called "SuiteIsFeatureInstalled" at ordinal 9
"ISSetup.dll" contains export function called "SuiteStartupInstall" at ordinal 10
"isr34B7.tmp" contains export function called "AddIcon" at ordinal 108
"isr34B7.tmp" contains export function called "CallDLLFn" at ordinal 92
"isr34B7.tmp" contains export function called "ComponentViewCreateWindow" at ordinal 45
"isr34B7.tmp" contains export function called "ComponentViewDestroy" at ordinal 49
"isr34B7.tmp" contains export function called "ComponentViewRefresh" at ordinal 47
"isr34B7.tmp" contains export function called "ComponentViewSelectAll" at ordinal 48
"isr34B7.tmp" contains export function called "ComponentViewSetInfo" at ordinal 46
"isr34B7.tmp" contains export function called "ComponentViewSetInfoEx" at ordinal 147
"isr34B7.tmp" contains export function called "CreateFolder" at ordinal 109
"isr34B7.tmp" contains export function called "DeleteFolder" at ordinal 110 - source
- Static Parser
- relevance
- 1/10
-
Contains registry location strings
- details
-
"Software\Microsoft\Windows\CurrentVersion"
"Software\Microsoft\Windows\CurrentVersion\RunOnce"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"
"Software\Microsoft\Windows\CurrentVersion\Uninstall"
"SOFTWARE\Microsoft\Windows\CurrentVersion"
"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
"SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations"
"SYSTEM\CurrentControlSet\Control\Session Manager"
"SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
"Software\Microsoft\Internet Explorer"
"Software\Microsoft\Windows\CurrentVersion\Internet Settings"
"SOFTWARE\InstallShield\24.0\Professional" - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\417FCDE2-BCB2-4A7C-BC24-F539CD19209A"
"417FCDE2-BCB2-4A7C-BC24-F539CD19209A" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "AGENTINSTALLERCOMPONENT.EXE.635B09A7.bin" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "DefaultRemoteOffice_Agent.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ISSetup.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "dot3456.tmp" as clean (type is "PE32 executable (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "isr34B7.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"), Antivirus vendors marked dropped file "_is3546.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_is3631.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Found API related strings
- details
-
"GetSystemWindowsDirectoryW" (Indicator: "GetSystemWindowsDirectoryW")
"Wow64DisableWow64FsRedirection" (Indicator: "Wow64DisableWow64FsRedirection")
"Wow64RevertWow64FsRedirection" (Indicator: "Wow64RevertWow64FsRedirection")
"InitializeCriticalSectionEx" (Indicator: "InitializeCriticalSection")
"GetNativeSystemInfo" (Indicator: "GetNativeSystemInfo")
"IsWow64Process" (Indicator: "IsWow64Process")
"CreateToolhelp32Snapshot" (Indicator: "CreateToolhelp32Snapshot")
"Process32First" (Indicator: "Process32First")
"Process32Next" (Indicator: "Process32Next")
"FindFirstFileW" (Indicator: "FindFirstFileW")
"FindFirstFileA" (Indicator: "FindFirstFileA")
"GetFileAttributesW" (Indicator: "GetFileAttributesW")
"GetFileAttributesA" (Indicator: "GetFileAttributesA")
"DeleteFileW" (Indicator: "DeleteFileW")
"CreateDirectoryW" (Indicator: "CreateDirectoryW")
"CreateFileW" (Indicator: "CreateFileW")
"CreateFileA" (Indicator: "CreateFileA")
"too many files open" (Indicator: "open")
"connection_already_in_progress" (Indicator: "connect")
"connection_aborted" (Indicator: "connect") - source
- File/Memory
- relevance
- 1/10
-
Loads rich edit control libraries
- details
-
"DefaultRemoteOffice_Agent.exe" loaded module "%WINDIR%\System32\riched32.dll" at 6DC30000
"DefaultRemoteOffice_Agent.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6BE70000 - source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"DefaultRemoteOffice_Agent.exe" touched "PSDispatch" (Path: "HKCU\CLSID\{00020420-0000-0000-C000-000000000046}\TREATAS")
"DefaultRemoteOffice_Agent.exe" touched "PSTypeInfo" (Path: "HKCU\CLSID\{00020422-0000-0000-C000-000000000046}\TREATAS")
"DefaultRemoteOffice_Agent.exe" touched "Task Bar Communication" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
PE file contains executable sections
- details
-
"AGENTINSTALLERCOMPONENT.EXE.635B09A7.bin" has an executable section named ".text"
"DefaultRemoteOffice_Agent.exe" has an executable section named ".text"
"ISSetup.dll" has an executable section named ".text"
"ISSetup.dll" has an executable section named ".orpc"
"dot3456.tmp" has an executable section named ".text"
"isr34B7.tmp" has an executable section named ".text"
"isr34B7.tmp" has an executable section named ".rsrc"
"_is3631.tmp" has an executable section named ".text" - source
- Static Parser
- relevance
- 1/10
-
PE file contains writable sections
- details
-
"AGENTINSTALLERCOMPONENT.EXE.635B09A7.bin" has an writable section named ".data"
"DefaultRemoteOffice_Agent.exe" has an writable section named ".data"
"ISSetup.dll" has an writable section named ".data"
"isr34B7.tmp" has an writable section named ".text"
"isr34B7.tmp" has an writable section named ".rsrc"
"isr34B7.tmp" has an writable section named ".reloc"
"_is3631.tmp" has an writable section named ".data"
"_is3631.tmp" has an writable section named ".idata" - source
- Static Parser
- relevance
- 1/10
-
PE file entrypoint instructions
- details
-
"AGENTINSTALLERCOMPONENT.EXE.635B09A7.bin" file has an entrypoint instructions - "call0x41f7fb,jmp0x415537,call0x41f8eb,testeax, eax,je0x4156b3,push0x16,call0x41f8f8,popecx,testbyte ptr [0x4354ec], 2,je0x4156cd,push1,push0x40000015,push3,call0x419603,addesp, 0xc,push3,call0x41b3d7,int3,movedi, edi,pushebp,movebp, esp,movecx, dword ptr [ebp + 0xc],moveax, dword ptr [0x4354ec],movedx, dword ptr [ebp + 8],andedx, dword ptr [ebp + 0xc],notecx,andecx, eax,orecx, edx,movdword ptr [0x4354ec], ecx,popebp,ret,int3,int3,int3,int3,int3,int3,"
"DefaultRemoteOffice_Agent.exe" file has an entrypoint instructions - "call0x4486db,jmp0x441ba0,pushebp,movebp, esp,xoredx, edx,moveax, edx,cmpdword ptr [ebp + 0xc], eax,jbe0x441d3e,movecx, dword ptr [ebp + 8],cmpword ptr [ecx], dx,je0x441d3e,inceax,addecx, 2,cmpeax, dword ptr [ebp + 0xc],jb0x441d30,popebp,ret,movecx, dword ptr [esp + 0xc],pushedi,testecx, ecx,je0x441ddf,pushesi,pushebx,movebx, ecx,movesi, dword ptr [esp + 0x14],testesi, 3,movedi, dword ptr [esp + 0x10],jne0x441d6c,shrecx, 2,jne0x441def,jmp0x441d93,moval, byte ptr [esi],addesi, 1,movbyte ptr [edi], al,addedi, 1,subecx, 1,je0x441da6,"
"ISSetup.dll" file has an entrypoint instructions - "pushebp,movebp, esp,cmpdword ptr [ebp + 0xc], 1,jne0x100aa3d8,call0x100b23da,pushdword ptr [ebp + 0x10],pushdword ptr [ebp + 0xc],pushdword ptr [ebp + 8],call0x100aa3ed,addesp, 0xc,popebp,ret0xc,push0xc,push0x10116eb8,call0x100ad1a0,xoreax, eax,inceax,movesi, dword ptr [ebp + 0xc],testesi, esi,jne0x100aa40f,cmpdword ptr [0x1013f6d4], esi,je0x100aa4f3,anddword ptr [ebp - 4], 0,cmpesi, 1,je0x100aa41d,cmpesi, 2,jne0x100aa452,movecx, dword ptr [0x100e9708],testecx, ecx,je0x100aa433,pushdword ptr [ebp + 0x10],pushesi,pushdword ptr [ebp + 8],"
"dot3456.tmp" file has an entrypoint instructions - "jmpdword ptr [0x11002000],addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,addbyte ptr [eax], al,"
"isr34B7.tmp" file has an entrypoint instructions - "moveax, 0x101122fc,pusheax,pushdword ptr fs:[0],movdword ptr fs:[0], esp,xoreax, eax,movdword ptr [eax], ecx,pusheax,incebp,incebx,outsddx, dword ptr [esi],insddword ptr es:[edi], dx,jo0x10111a5a,arplword ptr [edx + esi], si,addbyte ptr [eax], al,addbyte ptr [eax], cl,loope0x10111a4b,adddword ptr [ebp], edx,movebp, esp,pushebx,pushedi,pushesi,pushdword ptr [ebp + 0xc],ret,pushes,oral, ch,popes,addesp, dword ptr [ebx],popesi,popedi,popebx,leave,ret0x1f5,sbbbyte ptr [ebx - 0x43030b3c], al,cmpdword ptr [edi - 0x51dfdb8c], ecx,jl0x101119c7,inceax,cmpword ptr [esi], 0x434a,prefetchntabyte ptr [ebp - 0x7cb7fd63],"
"_is3546.tmp" file has an entrypoint instructions - "decebp,popedx,nop,addbyte ptr [ebx], al,addbyte ptr [eax], al,addbyte ptr [eax + eax], al,addbyte ptr [eax], al,"
"_is3631.tmp" file has an entrypoint instructions - "pushebp,movebp, esp,pushecx,movdword ptr [ebp - 4], 1,cmpdword ptr [ebp + 0xc], 0,jne0x100011a1,cmpdword ptr [0x10031a78], 0,jne0x100011a1,xoreax, eax,jmp0x1000126d,cmpdword ptr [ebp + 0xc], 1,je0x100011ad,cmpdword ptr [ebp + 0xc], 2,jne0x100011ef,cmpdword ptr [0x10033610], 0,je0x100011cb,moveax, dword ptr [ebp + 0x10],pusheax,movecx, dword ptr [ebp + 0xc],pushecx,movedx, dword ptr [ebp + 8],pushedx,calldword ptr [0x10033610],movdword ptr [ebp - 4], eax,cmpdword ptr [ebp - 4], 0,je0x100011e5,moveax, dword ptr [ebp + 0x10],pusheax,movecx, dword ptr [ebp + 0xc],pushecx,movedx, dword ptr [ebp + 8],pushedx,call0x10001040," - source
- Static Parser
- relevance
- 1/10
-
Process launched with changed environment
- details
- Process "agentInstallerComponent.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
- source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- "/C %WINDIR%\Temp\agentInstallerComponent.exe "C:\DefaultRemoteOffice_Agent.exe" 3 > %WINDIR%\Temp\DesktopCentralAgent.txt 2>&1" on 2022-10-27.22:43:51.422
- source
- Monitored Target
- relevance
- 5/10
- ATT&CK ID
- T1059.003 (Show technique in the MITRE ATT&CK™ matrix)
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
Scanning for window names
- details
- "DefaultRemoteOffice_Agent.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "DefaultRemoteOffice_Agent.exe" with commandline "-package:"C:\DefaultRemoteOffice_Agent.exe" -no_selfdeleter -IS_ ..." (Show Process)
Spawned process "cmd.exe" with commandline "/C %WINDIR%\Temp\agentInstallerComponent.exe "C:\DefaultRemoteOf ..." (Show Process), Spawned process "agentInstallerComponent.exe" with commandline ""C:\DefaultRemoteOffice_Agent.exe" 3" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "DefaultRemoteOffice_Agent.exe" with commandline "-package:"C:\DefaultRemoteOffice_Agent.exe" -no_selfdeleter -IS_ ..." (Show Process)
Spawned process "cmd.exe" with commandline "/C %WINDIR%\Temp\agentInstallerComponent.exe "C:\DefaultRemoteOf ..." (Show Process), Spawned process "agentInstallerComponent.exe" with commandline ""C:\DefaultRemoteOffice_Agent.exe" 3" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=IN, PostalCode=603202, S=Tamil Nadu, L=Chengalpattu, STREET="Estancia IT Park
GST Road", O=ZOHO Corporation Private Limited, CN=ZOHO Corporation Private Limited" (SHA1: 0C:FE:8E:39:3E:63:91:70:AE:B1:AC:4C:B8:92:82:58:54:5F:F3:6C: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=GB, S=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA" (SHA1: 94:C9:5D:A1:E8:50:BD:85:20:9A:4A:2A:F3:E1:FB:16:04:F9:BB:66: (1.2.840.113549.1.1.12); see report for more information)
The input sample is signed with a certificate issued by "C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority" (SHA1: D8:9E:3B:D4:3D:5D:90:9B:47:A1:89:77:AA:9D:5C:E3:6C:EE:18:4C: (1.2.840.113549.1.1.12); see report for more information)
The input sample is signed with a certificate issued by "C=GB, S=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services" (SHA1: D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1553.002 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1553.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API typically used to create a directory
-
Installation/Persistence
-
Connects to LPC ports
- details
-
"DefaultRemoteOffice_Agent.exe" connecting to "\ThemeApiPort"
"agentInstallerComponent.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"AGENTINSTALLERCOMPONENT.EXE.635B09A7.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"- [targetUID: N/A]
"DefaultRemoteOffice_Agent.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"- Location: [C:\DefaultRemoteOffice_Agent.exe]- [targetUID: 00000000-00003924]
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\setup.exe]- [targetUID: 00000000-00002852]
"ISSetup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\ISSetup.dll]- [targetUID: 00000000-00002852]
"setup.inx" has type "data"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\setup.inx]- [targetUID: 00000000-00002852]
"layout.bin" has type "data"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\layout.bin]- [targetUID: 00000000-00002852]
"dot3456.tmp" has type "PE32 executable (console) Intel 80386 Mono/.Net assembly for MS Windows"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\dot3456.tmp]- [targetUID: 00000000-00003160]
"isr34B7.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\isr34B7.tmp]- [targetUID: 00000000-00003160]
"def3535.tmp" has type "RIFF (little-endian) data palette 1168 bytes data size 1028 256 entries extra bytes 0x6f66666c"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\def3535.tmp]- [targetUID: 00000000-00003160]
"UEM4B42.tmp" has type "Composite Document File V2 Document Can't read SAT"- Location: [%WINDIR%\Temp\UEM4B42.tmp]- [targetUID: 00000000-00003160]
"data1.hdr" has type "InstallShield CAB"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\data1.hdr]- [targetUID: 00000000-00002852]
"setup.ini" has type "Little-endian UTF-16 Unicode text with CRLF line terminators"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\setup.ini]- [targetUID: 00000000-00002852]
"data1.cab" has type "InstallShield CAB"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\data1.cab]- [targetUID: 00000000-00002852]
"DesktopCentralAgent_DC.txt" has type "ASCII text with CRLF line terminators"- Location: [%WINDIR%\Temp\DesktopCentralAgent_DC.txt]- [targetUID: 00000000-00003160]
"_is3546.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3546.tmp]- [targetUID: 00000000-00003160]
"DCAgentServerInfo.json" has type "JSON data"- Location: [%WINDIR%\Temp\DCAgentServerInfo.json]- [targetUID: 00000000-00003924]
"_is3631.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3631.tmp]- [targetUID: 00000000-00003160]
"DIF3416.tmp" has type "ASCII text with CRLF line terminators"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\DIF3416.tmp]- [targetUID: 00000000-00003160]
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF line terminators"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\0x0409.ini]- [targetUID: 00000000-00002852] - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"DefaultRemoteOffice_Agent.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"DefaultRemoteOffice_Agent.exe" touched file "%WINDIR%\Temp\DesktopCentralAgent_DC.txt"
"DefaultRemoteOffice_Agent.exe" touched file "%WINDIR%\Temp\age4AC4.tmp"
"DefaultRemoteOffice_Agent.exe" touched file "%WINDIR%\Temp\UEM4B42.tmp"
"DefaultRemoteOffice_Agent.exe" touched file "%WINDIR%\Temp\UEM7159.tmp"
"cmd.exe" touched file "%WINDIR%\Temp\DesktopCentralAgent.txt"
"cmd.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"agentInstallerComponent.exe" touched file "%WINDIR%\Temp\DCAgentServerInfo.json" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Heuristic match: "z)k;ePQ1.ph"
Heuristic match: "m<?U=6.aT"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Heuristic match: "Installer support for .NET"
Heuristic match: "er support for .NET"
Pattern match: "http://www.manageengine.com" - source
- File/Memory
- relevance
- 10/10
-
Possibly tries to communicate over SSL connection (HTTPS)
- details
- "https://" (Indicator: "https://")
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1573 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Ransomware/Banking
-
Contains ability to update the user profile (API string)
- details
- Observed api string:"SystemParametersInfoW" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
- source
- File/Memory
- relevance
- 1/10
-
Contains ability to update the user profile (API string)
-
Spyware/Information Retrieval
-
Calls an API possibly used to take screenshots
- details
- "DefaultRemoteOffice_Agent.exe" called "CreateCompatibleBitmap" (UID: 00000000-00003160)
- source
- API Call
- relevance
- 3/10
- ATT&CK ID
- T1113 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to enumerate files on disk (API string)
- details
-
Observed api string:"FindFirstFileW" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
Observed api string:"FindFirstFileA" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin] - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to enumerate processes (API string)
- details
-
Observed api string:"CreateToolhelp32Snapshot" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
Observed api string:"Process32First" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
Observed api string:"Process32Next" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin] - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieve information about the current system (API string)
- details
- Observed api string:"GetNativeSystemInfo" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieve the specified system metric or system configuration setting (API string)
- details
- Observed api string:"GetSystemMetrics" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieves the class object from a DLL object handler (API string)
- details
- Observed api string:"DllGetClassObject" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
- source
- File/Memory
- relevance
- 1/10
-
Contains ability to take screen capture of the target machine (API string)
- details
- Observed api string:"CreateCompatibleBitmap" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1113 (Show technique in the MITRE ATT&CK™ matrix)
-
Found registry key string for installed applications
- details
-
"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" (Indicator: "microsoft\windows\currentversion\uninstall") in Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin
"Software\Microsoft\Windows\CurrentVersion\Uninstall" (Indicator: "microsoft\windows\currentversion\uninstall") in Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports GetCommandLine API
- details
- Observed import api "GetCommandLineA" which can "Retrieves the command-line string for the current process" [Source: ISSetup.dll]
- source
- Static Parser
- relevance
- 1/10
- ATT&CK ID
- T1106 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports GetEnvironmentVariable API
- details
- Observed import api "GetEnvironmentVariable" which can "read the host's architecture" [Source: _is3631.tmp]
- source
- Static Parser
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API possibly used to take screenshots
-
System Security
-
Contains ability to enable or disable privileges in the specified access token (API string)
- details
- Observed api string:"AdjustTokenPrivileges" [Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1134 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to obtains specified information about the security of a file or directory (API string)
- details
-
Observed api string:"CreateWellKnownSid which can Creates a SID for predefined aliases"[Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
Observed api string:"InitializeSecurityDescriptor which can Initializes a new security descriptor"[Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
Observed api string:"SetSecurityDescriptorDacl which can Sets information in a discretionary access control list (DACL)"[Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
Observed api string:"SetSecurityDescriptorGroup which can Sets the primary group information of an absolute-format security descriptor replacing any primary group information already present in the security descriptor"[Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
Observed api string:"SetSecurityDescriptorOwner which can Sets the owner information of an absolute-format security descriptor"[Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin] - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1134.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to use security policy setting (API string)
- details
- Observed api string:"ASeShutdownPrivilege which can Shut down the system"[Source: f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3.bin]
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1548 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports system security related APIs
- details
-
Observed import api "AllocateAndInitializeSid" which can "Allocates and initializes a security identifier (SID) with up to eight subauthorities" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "CreateWellKnownSid" which can "Creates a SID for predefined aliases" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "EqualSid" which can "Tests two security identifier (SID) values for equality" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "FreeSid" which can "Frees a security identifier (SID) previously allocated by using the AllocateAndInitializeSid function" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "GetTokenInformation" which can "Retrieves a specified type of information about an access token" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "InitializeSecurityDescriptor" which can "Initializes a new security descriptor" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "InitializeSid" which can "Initializes a security identifier (SID)" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "SetSecurityDescriptorDacl" which can "Sets information in a discretionary access control list (DACL)" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "SetSecurityDescriptorGroup" which can "Sets the primary group information of an absolute-format security descriptor replacing any primary group information already present in the security descriptor" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "SetSecurityDescriptorOwner" which can "Sets the owner information of an absolute-format security descriptor" [Source: DefaultRemoteOffice_Agent.exe]
Observed import api "AllocateAndInitializeSid" which can "Allocates and initializes a security identifier (SID) with up to eight subauthorities" [Source: ISSetup.dll]
Observed import api "EqualSid" which can "Tests two security identifier (SID) values for equality" [Source: ISSetup.dll]
Observed import api "FreeSid" which can "Frees a security identifier (SID) previously allocated by using the AllocateAndInitializeSid function" [Source: ISSetup.dll]
Observed import api "GetFileSecurityW" which can "Obtains specified information about the security of a file or directory" [Source: ISSetup.dll]
Observed import api "GetTokenInformation" which can "Retrieves a specified type of information about an access token" [Source: ISSetup.dll]
Observed import api "InitializeSid" which can "Initializes a security identifier (SID)" [Source: ISSetup.dll]
Observed import api "IsValidSecurityDescriptor" which can "Determines whether the components of a security descriptor are valid" [Source: ISSetup.dll]
Observed import api "SetFileSecurityW" which can "Sets the security of a file or directory object" [Source: ISSetup.dll] - source
- Static Parser
- relevance
- 1/10
- ATT&CK ID
- T1134.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"DefaultRemoteOffice_Agent.exe" opened "\Device\KsecDD"
"agentInstallerComponent.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Contains ability to enable or disable privileges in the specified access token (API string)
-
Unusual Characteristics
-
Drops executable files inside temp directory
- details
-
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\setup.exe]- [targetUID: 00000000-00002852]
"ISSetup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\ISSetup.dll]- [targetUID: 00000000-00002852]
"dot3456.tmp" has type "PE32 executable (console) Intel 80386 Mono/.Net assembly for MS Windows"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\dot3456.tmp]- [targetUID: 00000000-00003160]
"isr34B7.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\isr34B7.tmp]- [targetUID: 00000000-00003160]
"_is3546.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3546.tmp]- [targetUID: 00000000-00003160]
"_is3631.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"- Location: [%TEMP%\{20DD34C3-D68E-4F9E-B9D5-C66A9DC5022C}\{417FCDE2-BCB2-4A7C-BC24-F539CD19209A}\_is3631.tmp]- [targetUID: 00000000-00003160] - source
- Binary File
- relevance
- 3/10
-
Matched Compiler/Packer signature
- details
-
"AGENTINSTALLERCOMPONENT.EXE.635B09A7.bin" was detected as "VC8 -> Microsoft Corporation"
"DefaultRemoteOffice_Agent.exe" was detected as "VC8 -> Microsoft Corporation"
"ISSetup.dll" was detected as "Borland Delphi 3.0 (???)"
"dot3456.tmp" was detected as "Microsoft visual C# / Basic .NET"
"isr34B7.tmp" was detected as "PeCompact 2.53 DLL --> BitSum Technologies"
"_is3546.tmp" was detected as "Microsoft visual C++ vx.x DLL"
"_is3631.tmp" was detected as "Microsoft visual C++ v6.0 (Debug version)" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1027.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files inside temp directory
File Details
DefaultRemoteOffice_Agent.exe
- Filename
- DefaultRemoteOffice_Agent.exe
- Size
- 29MiB (30348976 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- f83dd430efb098406365f4ff69cf8f9646e79e94597a36e3ebcbb38f1d0e8ec3
- MD5
- 29f2695329198bb657bf0c3ce273963b
- SHA1
- d709183ad858dcd4cfcf5850bd31ad005dcf918f
Classification (TrID)
- 37.2% (.AX) DirectShow filter
- 36.4% (.CPL) Windows Control Panel Item (generic)
- 21.5% (.OCX) Windows ActiveX control
- 1.9% (.EXE) Win64 Executable (generic)
- 0.9% (.EXE) Win16 NE executable (generic)
File Certificates
Certificate chain was successfully validated.
Download Certificate File (7.2KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=IN, PostalCode=603202, S=Tamil Nadu, L=Chengalpattu, STREET="Estancia IT Park, GST Road", O=ZOHO Corporation Private Limited, CN=ZOHO Corporation Private Limited | C=IN, PostalCode=603202, S=Tamil Nadu, L=Chengalpattu, STREET="Estancia IT Park, GST Road", O=ZOHO Corporation Private Limited, CN=ZOHO Corporation Private Limited Serial: 00d19db1a542ffd3d99b83208fe9e80fe3 |
12/10/2020 02:00:00 12/11/2023 01:59:59 |
0C:FE:8E:39:3E:63:91:70:AE:B1:AC:4C:B8:92:82:58:54:5F:F3:6C: (1.2.840.113549.1.1.11) |
C=GB, S=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA | C=GB, S=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA Serial: 1da248306f9b2618d082e0967d33d36a |
11/02/2018 02:00:00 01/01/2031 01:59:59 |
94:C9:5D:A1:E8:50:BD:85:20:9A:4A:2A:F3:E1:FB:16:04:F9:BB:66: (1.2.840.113549.1.1.12) |
C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority | C=US, S=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Serial: 3972443af922b751d7d36c10dd313595 |
03/12/2019 02:00:00 01/01/2029 01:59:59 |
D8:9E:3B:D4:3D:5D:90:9B:47:A1:89:77:AA:9D:5C:E3:6C:EE:18:4C: (1.2.840.113549.1.1.12) |
C=GB, S=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services | C=GB, S=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services Serial: 01 |
01/01/2004 02:00:00 01/01/2029 01:59:59 |
D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
DefaultRemoteOffice_Agent.exe
(PID: 2852)
-
DefaultRemoteOffice_Agent.exe
-package:"C:\DefaultRemoteOffice_Agent.exe" -no_selfdeleter -IS_temp -media_path:"%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\" -tempdisk1folder:"%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\" -IS_OriginalLauncher:"%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\DefaultRemoteOffice_Agent.exe"
(PID: 3160)
-
cmd.exe
/C %WINDIR%\Temp\agentInstallerComponent.exe "C:\DefaultRemoteOffice_Agent.exe" 3 > %WINDIR%\Temp\DesktopCentralAgent.txt 2>&1
(PID: 3640)
- agentInstallerComponent.exe "C:\DefaultRemoteOffice_Agent.exe" 3 (PID: 3924)
-
cmd.exe
/C %WINDIR%\Temp\agentInstallerComponent.exe "C:\DefaultRemoteOffice_Agent.exe" 3 > %WINDIR%\Temp\DesktopCentralAgent.txt 2>&1
(PID: 3640)
-
DefaultRemoteOffice_Agent.exe
-package:"C:\DefaultRemoteOffice_Agent.exe" -no_selfdeleter -IS_temp -media_path:"%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\" -tempdisk1folder:"%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\" -IS_OriginalLauncher:"%TEMP%\{300931DF-0621-4267-83D4-21548C1A237B}\Disk1\DefaultRemoteOffice_Agent.exe"
(PID: 3160)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 00000000-00003160-49165-1133-01169C01 |
Extracted Strings
Extracted Files
Displaying 22 extracted file(s). The remaining 9 file(s) are available in the full version and XML/JSON reports.
-
Clean 8
-
-
dot3456.tmp
- Size
- 23KiB (23768 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- 559ecb618a94dbec5afe4970f2b73a30
- SHA1
- 3abef6483b5c17aa6dc22234acb8e1b0164b6246
- SHA256
- 37ebd6289b02d42dbcc1d83326c1f28c90d0eb93b80174c5eac48e6a9eb32bb8
-
_is3546.tmp
- Size
- 1MiB (1048576 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- 706fa89544f3ea15b60c01a22d76e0d8
- SHA1
- a19108b00699015c983ba5ec0fcc4f8eb03b4047
- SHA256
- 16069964ecdaf6da7650a36195cf57e7ee07447d37c659ba058e1a971fdf2ea9
-
_is3631.tmp
- Size
- 1.8MiB (1862976 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- c45e398014c37e42bce48f1b948781e7
- SHA1
- 841c3d4427c2a34ac9d12fd7bf41fd0cf3c42b8e
- SHA256
- a79653e9f6c1cd1fee41316822b1954fc7ddc348218064d447f23be17cdfaeea
-
isr34B7.tmp
- Size
- 425KiB (435392 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
- AV Scan Result
- 0/71
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- 7918d6b9f03c614a76c041c9b6e7fd24
- SHA1
- 55490154d83ae60f953860c953291bd2728b2d2c
- SHA256
- 379176a5ecde21f492dcc719250d47c368ae039eb9e549da8e300e6d69be6d72
-
setup.exe
- Size
- 921KiB (943104 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 2852)
- MD5
- c59ee7d4828bf4f5b754956952076986
- SHA1
- d5226b3002dac6aca86c660956714ad251d5f928
- SHA256
- ed1569ed0d397521582b00dda205b5959287850191008a4bbb82918c2cf5ba6f
-
ISSetup.dll
- Size
- 1.6MiB (1626112 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 2852)
- MD5
- 9c9f06532bbc96493531aaa57bc0fc57
- SHA1
- b73f6cbdc02f49b2d62645ec31888fc904578a50
- SHA256
- 60ebc86c2dd03056ad48adc6d2468fd54c548a55d2d305577eb7e079d90ac13f
-
DefaultRemoteOffice_Agent.exe
- Size
- 921KiB (943104 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- agentInstallerComponent.exe (PID: 3924)
- MD5
- c59ee7d4828bf4f5b754956952076986
- SHA1
- d5226b3002dac6aca86c660956714ad251d5f928
- SHA256
- ed1569ed0d397521582b00dda205b5959287850191008a4bbb82918c2cf5ba6f
-
AGENTINSTALLERCOMPONENT.EXE.635B09A7.bin
- Size
- 248KiB (253936 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- MD5
- db05cb4b51d5f6c9dcb4b4312a597631
- SHA1
- a011f67468d421ba61fedceb4b66fdff63fa1cbb
- SHA256
- 6aed9ada931e13dfb897912452c6c89000b6dd70be7f04a53248b3cc4a8e54f9
-
-
Informative 14
-
-
cor3436.tmp
- Size
- 64KiB (65503 bytes)
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- 09d38ceca6a012f4ce5b54f03db9b21a
- SHA1
- 01fcb72f22205e406ff9a48c5b98d7b7457d7d98
- SHA256
- f6d7bc8ca6550662166f34407968c7d3669613e50e98a4e40bec1589e74ff5d1
-
dot3477.tmp
- Size
- 146B (146 bytes)
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- db722945ab9c024ce55e469644393824
- SHA1
- 191782b3b4c7bd21fabb3d5b655b7f2dec2f4f56
- SHA256
- c7e5bdc4b79f7f8c68c5f09c0c055e97fb8c62fe1b5d469b3527ab6b767c8df2
-
DIF3416.tmp
- Size
- 84B (84 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- 1eb6253dee328c2063ca12cf657be560
- SHA1
- 46e01bcbb287873cf59c57b616189505d2bb1607
- SHA256
- 6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1
-
Fon3405.tmp
- Size
- 37B (37 bytes)
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- 8ce28395a49eb4ada962f828eca2f130
- SHA1
- 270730e2969b8b03db2a08ba93dfe60cbfb36c5f
- SHA256
- a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932
-
Ins33E5.tmp
- Size
- 88B (88 bytes)
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- 82d7c46c01c01ac53a8633b25d677da5
- SHA1
- 24240cc063005a8de19762cdfa7d0d7d19aef210
- SHA256
- 0d3e03b70a4df0f53f237c113e5efe503f2c69f28cfe22cb0171b82abb8d5cae
-
Str3497.tmp
- Size
- 3.8KiB (3930 bytes)
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- 8e44fab046115504932eef4559f000ce
- SHA1
- 2abb3d87984fd79d89bfd539ddf8c3fe2725dd3c
- SHA256
- fca4e5422ec00b4bc3c7f2759e70d184acd680bb95f291bba3cdf3ffe5b31d9a
-
def3535.tmp
- Size
- 1.1KiB (1168 bytes)
- Type
- data
- Description
- RIFF (little-endian) data, palette, 1168 bytes, data size 1028, 256 entries, extra bytes 0x6f66666c
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- 0abafe3f69d053494405061de2629c82
- SHA1
- e414b6f1e9eb416b9895012d24110b844f9f56d1
- SHA256
- 8075162db275eb52f5d691b15fc0d970cb007f5bece33ce5db509edf51c1f020
-
set3396.tmp
- Size
- 222KiB (227494 bytes)
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 3160)
- MD5
- ca6ab39ae89318ec1274e1b6de7976bd
- SHA1
- 2de4416dc88961c90678ea84f3103986322d7de3
- SHA256
- 14b2b76cc942c5ace09412426c4b8eddf3c9b1acc98e70edaa7853de5aea0b13
-
setup.inx
- Size
- 222KiB (227494 bytes)
- Type
- data
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 2852)
- MD5
- ca6ab39ae89318ec1274e1b6de7976bd
- SHA1
- 2de4416dc88961c90678ea84f3103986322d7de3
- SHA256
- 14b2b76cc942c5ace09412426c4b8eddf3c9b1acc98e70edaa7853de5aea0b13
-
0x0409.ini
- Size
- 22KiB (22480 bytes)
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 2852)
- MD5
- a108f0030a2cda00405281014f897241
- SHA1
- d112325fa45664272b08ef5e8ff8c85382ebb991
- SHA256
- 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
-
data1.cab
- Size
- 926KiB (948154 bytes)
- Type
- unknown
- Description
- InstallShield CAB
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 2852)
- MD5
- ec6200cd59cd346edaaa9ebb64a59860
- SHA1
- 5eec28a1449749e7189fe706fb4ac68cce20365f
- SHA256
- 8d21ed3abf93fdf689b64facfd3f70d5f07136e8d75b217b039de843a45b35d2
-
data1.hdr
- Size
- 13KiB (13063 bytes)
- Type
- unknown
- Description
- InstallShield CAB
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 2852)
- MD5
- ec4c52094aa0b9b51672e238eb1f1eed
- SHA1
- 3bca9bc02772b5c39d29744b2c365af1857e04ec
- SHA256
- f42e1de2db0c420431e56d428651351290ebb579801c91da032ac722e207cc29
-
layout.bin
- Size
- 550B (550 bytes)
- Type
- data
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 2852)
- MD5
- 6ea7786f9e58731088d7748010eaa4a5
- SHA1
- f6f18d617a2e2c05f6b2a6417b8103a90a4629a7
- SHA256
- 1dca4c57903aab4eb72328d9ac7975a3bcbad1c1d2892c708797498378203f12
-
setup.ini
- Size
- 2.4KiB (2446 bytes)
- Runtime Process
- DefaultRemoteOffice_Agent.exe (PID: 2852)
- MD5
- 10787f7e010d427ca71b959c97c7cb08
- SHA1
- 354dccb9bceab4752f80a62df2bcca489787580e
- SHA256
- 09e7f1d2a9c06e5c887d84e07d5b7de35ab0dd2146eb4ed01f53861e7429db5c
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-102" are available in the report
- Not all sources for indicator ID "api-105" are available in the report
- Not all sources for indicator ID "api-122" are available in the report
- Not all sources for indicator ID "api-124" are available in the report
- Not all sources for indicator ID "api-125" are available in the report
- Not all sources for indicator ID "api-126" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-40" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "static-78" are available in the report
- Not all sources for indicator ID "static-87" are available in the report
- Not all sources for indicator ID "static-88" are available in the report
- Not all sources for indicator ID "static-98" are available in the report
- Not all sources for indicator ID "stream-103" are available in the report
- Not all sources for indicator ID "stream-108" are available in the report
- Not all sources for indicator ID "stream-121" are available in the report
- Not all sources for indicator ID "stream-3" are available in the report
- Not all sources for indicator ID "stream-32" are available in the report
- Not all sources for indicator ID "stream-87" are available in the report
- Not all sources for indicator ID "string-101" are available in the report
- Not all sources for indicator ID "string-114" are available in the report
- Not all sources for indicator ID "string-131" are available in the report
- Not all sources for indicator ID "string-132" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all sources for indicator ID "string-77" are available in the report
- Not all sources for indicator ID "string-78" are available in the report
- Not all sources for indicator ID "string-82" are available in the report
- Not all sources for indicator ID "string-83" are available in the report
- Not all sources for indicator ID "string-85" are available in the report
- Not all sources for indicator ID "string-89" are available in the report
- Not all sources for indicator ID "string-92" are available in the report
- Not all sources for indicator ID "string-97" are available in the report
- Not all sources for indicator ID "string-98" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report