Managed XDR

c-users-user-appdata-r...icrosoft-vault-def.jar — malware analysis report

File info

Filename
c-users-user-appdata-roaming-microsoft-vault-def.jar
File type
Zip archive data, at least v1.0 to extract
File size
5.2 MB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
ba8405bf4526e3550ff4d91ea0a09badb3381092
SHA256
035c22b0167d3b8f63699e37bd8bc48e805308752238e9b0ccf26fcce0bed838
MD5
99503d0942c58af3428743457266e7ac

Signatures

Execution

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1082 reads_csrss: Attempts to read csrss.exe memory
T1082 recon_systeminfo: Collects system information (ipconfig, netstat, systeminfo, net)

Command and Control

T1071.001 network_http: Performs HTTP requests
T1102.003 cloud_amazonaws: Connects to cloud services of Amazon AWS (potentially for malicious payload delivery)

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
ip_domains: Identifies an IP address using external resources
creates_exe: Creates executable files in the file system
telegram_api: Telegram Messenger API is used
creates_in_programdata: Creates files in the ProgramData directory