Managed XDR

scratch-zoo-2025-04-18...a3757cd68ab56e632311c0 — malware analysis report

File info

Filename
scratch-zoo-2025-04-18-98d6c7d31ba3757cd68ab56e632311c0
File type
Zip archive data, at least v1.0 to extract
File size
3 MB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
caef475925c0679f224ac145984652ef3ebb0add
SHA256
601bb810abe5e153a76309073c2329f2858b91b1a9eb1780470e85018173eef7
MD5
98d6c7d31ba3757cd68ab56e632311c0

Signatures

Execution

T1569.002 persistence_service: Starts newly created service

Persistence

T1543.003 creates_service: Creates a service

Privilege Escalation

T1543.003 creates_service: Creates a service
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_firmware: Attempts to detect VM by firmware
T1497.001 antivm_network_adapters: Checks NIC addresses
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antivm_firmware: Attempts to detect VM by firmware
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1082 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1083 checks_recent_files: Attempt to check recently opened files through registry

Impact

T1489 service_control_stop: Stops services via ControlService

Other

yara_rules: Static rules
office_embedded: Office document contains embedded executable file(s)
driver_load: Loads a driver
static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card