Managed XDR

home-farm-anteroom-d36...4142b6832bc7ce85d1aeac — malware analysis report

File info

Filename
home-farm-anteroom-d36-955-d36955720b5603c3836cc3237976df2fb1b789e7574142b6832bc7ce85d1aeac
File type
ASCII text, with CRLF line terminators
File size
106.6 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
08fd08f11a88bcc99b31001a1468d4fb9560a637
SHA256
d36955720b5603c3836cc3237976df2fb1b789e7574142b6832bc7ce85d1aeac
MD5
c30f29887399481ce1a2ff421fa78802

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process
T1047 has_wmi: Executes one or several WMI requests
T1059.005 obfuscated_vbs: Detected obfuscated VBS
T1059.005 bad_vbs: Suspicious VBScript file
T1059.005 obfuscated_vbs_wmi: Suspicious WMI queries from VBScript file

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1070 stealth_window: A process created a hidden window
T1027 obfuscated_vbs: Detected obfuscated VBS
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1027 obfuscated_vbs_wmi: Suspicious WMI queries from VBScript file

Discovery

T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service
T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1007 has_wmi: Executes one or several WMI requests
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Collection

T1560.001 archive_via_utility: Detected archiving data via utility

Other

suspicious_vbs_script: Suspicious VBS script detected
only_exec_in_archive: The archive contains only an executable file
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
checktokenmembership: Checks user token with CheckTokenMembership call
suricata_alert: Malicious traffic detected