Managed XDR

invitation.rar (Koadic) — malware analysis report

File info

Filename
invitation.rar
File type
Zip archive data, at least v2.0 to extract
File size
517.9 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
d21f4ba48319d1945a207c4c4003493f7eaa6298
SHA256
132ba23240fb0b3104a46902de8232e65d545c34a55fb56eded6f5c57ae6807d
MD5
346fefd07831a8f0c243a1b5a514ab9d

Malwares

  • Koadic

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1204.002 mimics_extension: Attempts to mimic the file extension
T1059.001 suspicious_process: Spawns a suspicious process
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036 mimics_extension: Attempts to mimic the file extension
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070 stealth_window: A process created a hidden window

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed

Command and Control

T1102.003 references_discord: Contains links to cloud services of Discord (potentially for malicious payload delivery)

Other

yara_rules: Static rules
pdf_compressed_stream: Contains an object with compressed stream
get_policy_info: Retrieves information about a Policy object
office_links: Office file contains external links
checktokenmembership: Checks user token with CheckTokenMembership call

Related reports