Managed XDR

381857267 — malware analysis report

File info

Filename: 381857267
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 4 MB
First seen: 2025-09-05 21:00
Last seen: 2025-09-05 21:00

Environment

win7/x86 en

Hashes

SHA1: d721839c8c766f7dc9c4250bf5d7640b91f24ef9
SHA256: 8ea28fcf845d4387541e91e8fc750a015322ad87012e9b24dc769636fec9f415
MD5: 210d34179b99ae6b408627af24baa349

Signatures

Execution

T1569.002 persistence_service: Starts newly created service

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036.001 invalid_authenticode: Digital signature of the executable file has failed the verification

T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497.001 antivm_network_adapters: Checks NIC addresses

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Discovery

T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1057 has_wmi: Executes one or several WMI requests

T1082 has_wmi: Executes one or several WMI requests

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1049 list_ts_rdp_sessions: Lists ts/rdp sessions

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

creates_exe: Creates executable files in the file system

executes_dropped_exe: Executes dropped exe files

unexpected_exception: Unexpected exception

create_rpc_bindings: Creates RPC connection

has_pdb: This executable file has a PDB path

get_policy_info: Retrieves information about a Policy object

creates_in_programdata: Creates files in the ProgramData directory

test_check_service: Starts services

pe_overlay: PE file contains overlay

yara_rules: Static rules

ce_info: ScreenConnect Configuration Data found