Managed XDR

prsample.exe — malware analysis report

File info

Filename
prsample.exe
File type
PE32+ executable (DLL) (console) x86-64, for MS Windows
File size
215.5 KB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
26d9733bd8f3483d6a1d7431635604bbcaa3c8cc
SHA256
c931b869f7240e5262c442ccc7317e4aef51f219457fffcba143be0d189d90f4
MD5
fdabedcd2bbcaef317bc3fef55a23e0f

Signatures

Execution

T1059.003 suspicious_process: Spawns a suspicious process

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1057 process_interest: Enumerates processes
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1016.001 system_network_configuration_discovery: System network configuration discovery detected

Command and Control

T1095 network_icmp: Creates ICMP traffic
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

yara_rules: Static rules
copies_self: Creates a copy of itself
creates_exe: Creates executable files in the file system
suspicious_process_network: Unusual process network activity detected
network_anomaly: Network anomalies occured during the analysis
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
has_pdb: This executable file has a PDB path
message_box: Displays a message