Managed XDR

userprofile.exe — malware analysis report

File info

Filename: userprofile.exe
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 1.1 MB
First seen: 2025-03-16 08:11
Last seen: 2025-03-16 08:11

Environment

win7/x86 en

Hashes

SHA1: a14b9dca4db0cc01a3f2d298205d0b27fa404cd6
SHA256: 2845032da1897a4e066e3fb2bf6fe36fd60bb8fb4fb4d403d7557fad9cf7246c
MD5: fd1b8460caa782fa7752040e1abfdb80

Signatures

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1027.002 packer_enigma: Enigma protector indicators detected

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497.001 antivm_network_adapters: Checks NIC addresses

T1027.002 pe_features: Executable file has PE anomalies (may be false positive)

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie

T1082 has_wmi: Executes one or several WMI requests

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

yara_rules: Static rules

ip_domains: Identifies an IP address using external resources

process_crashed: One of the processes has failed

static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names

no_graphical_activity: No graphic activity

net_dumps_in_native: .Net dumps have been found in native PE

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

suricata_alert: Malicious traffic detected