Managed XDR

var-www-vgtimes-data-w...483_darksiderswm_e.rar — malware analysis report

File info

Filename
var-www-vgtimes-data-www-files.vgtimes.ru-download-trainers-1519013483_darksiderswm_e.rar
File type
RAR archive data, v4, os: Win32
File size
3.8 MB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
63ddb1a21f84102caaef697a2a5efbb670551dca
SHA256
00a712f56f0ee86b1be52b7029ca5f595956d06b4a5302e3efea61977c5fe4e4
MD5
5acc85ef1733ffb0d3390073e5226535

Signatures

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1497 antidbg_windows: Checks for open windows typical for debuggers and forensic tools
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497 antidbg_query_system: Checks for kernel debugger (SystemKernelDebuggerInformation)
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Discovery

T1497 antidbg_windows: Checks for open windows typical for debuggers and forensic tools
T1497 antidbg_query_system: Checks for kernel debugger (SystemKernelDebuggerInformation)

Other

static_pe_anomaly: The PE file structure contains anomalies
network_bind: Starts servers listening at 127.0.0.1:0
creates_exe: Creates executable files in the file system
dotnet_suspicious_resources_names: Dotnet program has suspicious resources names
create_rpc_bindings: Creates RPC connection
has_pdb: This executable file has a PDB path
dotnet_suspicious_module_name: Dotnet program has suspicious module name
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
dotnet_obfuscated: Dotnet program is potentially obfuscated
test_check_service: Starts services
dotnet_use_suspicious_functions: Dotnet program potentially uses suspicious functions/modules
dotnet_mixed_assembly: Dotnet program is mixed assembly
dotnet_unmanaged_entrypoint: Dotnet program has unmanaged entrypoint
yara_rules: Static rules