Managed XDR

pfi-ripl-2025-07-449_i...i-ripl-2025-07-449.xxe — malware analysis report

File info

Filename
pfi-ripl-2025-07-449_img874img874img874img874_pfi-ripl-2025-07-449.xxe
File type
ASCII text, with CRLF line terminators
File size
37.2 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
9d7fe504207dc1c1c3d7938433ad98bea1ee3ca1
SHA256
401c845271d13fb882b61f67bb7ac56c102277efaad5e6b1f409ba28fa7f44cd
MD5
938652597a999c8af23f310835ab50f5

Signatures

Execution

T1059 powershell_cmd_longcommandline: Suspiciously long commandline
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1047 has_wmi: Executes one or several WMI requests
T1059.001 suspicious_process: Spawns a suspicious process
T1059.003 suspicious_process: Spawns a suspicious process
T1059.005 obfuscated_vbs: Detected obfuscated VBS
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Privilege Escalation

T1055.012 injection_runpe: Injects code into another process
T1055.004 injection_ntqueueapcthread: Injects into another process using NtQueueApcThread
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.012 injection_runpe: Injects code into another process
T1055.004 injection_ntqueueapcthread: Injects into another process using NtQueueApcThread
T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1070 stealth_window: A process created a hidden window
T1027 obfuscated_vbs: Detected obfuscated VBS
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Discovery

T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1057 has_wmi: Executes one or several WMI requests
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1016.001 system_network_configuration_discovery: System network configuration discovery detected
T1082 reads_csrss: Attempts to read csrss.exe memory

Collection

T1560.001 archive_via_utility: Detected archiving data via utility

Other

suspicious_vbs_script: Suspicious VBS script detected
modifies_certs: Attempts to generate or modify system certificates
runs_utility_without_cmdline: Runs system utility without arguments (non-typical usage)
only_exec_in_archive: The archive contains only an executable file
unexpected_exception: Unexpected exception
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
Managed XDR