Managed XDR

malware — malware analysis report

File info

Filename
malware
File type
PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
File size
5.4 MB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
caaa1f85dd333c9d19767b5de527152d5acbc2a4
SHA256
cb0b9e509a0f16eb864277cd76c4dcaa5016a356dd62c04dff8f8d96736174a7
MD5
315a9d36ed86894269e0126b649fb3d6

Signatures

Execution

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1082 recon_systeminfo: Collects system information (ipconfig, netstat, systeminfo, net)
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

Impact

T1486 modifies_files2: Cryptolocker indicators detected (100 or more files are modified)
T1486 modifies_files: Cryptolocker indicators detected (renamed 100 or more files)
T1486 ransomware_message: Ransomware indicators detected (possible ransom message creation)

Other

yara_rules: Static rules
codepage: Checks the system code page
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
writes_data: Writes big amount of data to disk