Managed XDR

tyjtghjhgjhg.zip — malware analysis report

File info

Filename
tyjtghjhgjhg.zip
File type
Zip archive data, at least v2.0 to extract
File size
36.9 MB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
a0ccbc7e35e93966298e7216fb83f8507dfb6488
SHA256
da5dd4ebef47c945d47c90c41f7b9db1021f30b41d88e92e8a279a5f60906ec1
MD5
9eaa266a35811b88d4d9995208bd298c

Signatures

Execution

T1059.003 executes_dropped_cmd: Executes dropped batch files

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070.004 deletes_self: Moves to different location or removes the original executable file
T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1497.001 antivm_firmware: Attempts to detect VM by firmware
T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497 antidbg_query_system: Checks for kernel debugger (SystemKernelDebuggerInformation)
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1070 stealth_window: A process created a hidden window
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1497.001 antivm_firmware: Attempts to detect VM by firmware
T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497 antidbg_query_system: Checks for kernel debugger (SystemKernelDebuggerInformation)
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1082 checks_firmware: Attempts to read firmware information (potentially for evasion)

Other

creates_exe: Creates executable files in the file system
static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names
require_administrator: Requests administrator privileges
creates_suspended_process: Creates suspended process
message_box: Displays a message
test_check_service: Starts services