Managed XDR

package-03b9c7a3b73f15...010c6d1861043f90a2fecd (Grimagent, Conti, Tinba) — malware analysis report

File info

Filename
package-03b9c7a3b73f15dfc2dcb0b74f3e971fdda7d1d1e2010c6d1861043f90a2fecd
File type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size
201.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
e026e1f27d503a23aaab354c1de6e17d4c6a2b1f
SHA256
03b9c7a3b73f15dfc2dcb0b74f3e971fdda7d1d1e2010c6d1861043f90a2fecd
MD5
0a49ed1c5419bb9752821d856f7ce4ff

Malwares

  • Grimagent
  • Conti
  • Tinba

Signatures

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Discovery

T1057 process_interest: Enumerates processes

Other

yara_rules: Static rules
no_graphical_activity: No graphic activity

Related reports

Managed XDR