Managed XDR

ab127101a8f19bc55969f0...1766975437696893983.gz — malware analysis report

File info

Filename: ab127101a8f19bc55969f05a61eb929237eeaf3acf3352af80b7be4988c4fa56-1766975437696893983.gz
File type: gzip compressed data
File size: 36.7 KB
First seen: 2026-01-02 10:04
Last seen: 2026-01-02 10:04

Environment

w10/x64 en

Hashes

SHA1: ba43d3d4a72f6680761f4f5c96d644267ac402bb
SHA256: 52e5571246948240cdf5899eb407cdf0f4ab8cb9a54cd8fd6d3a866c0bd207ad
MD5: ba14d0f5d6c80a4d122a634f6dae4e6e

Signatures

Execution

T1059.003 executes_dropped_cmd: Executes dropped batch files

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070.004 deletes_self: Moves to different location or removes the original executable file

T1027.002 packer_polymorphic: Creates a modified copy of itself

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1027.002 pe_features: Executable file has PE anomalies (may be false positive)

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1070 stealth_window: A process created a hidden window

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1082 has_wmi: Executes one or several WMI requests

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Other

creates_exe: Creates executable files in the file system

executes_dropped_exe: Executes dropped exe files

creates_in_windows: Creates files in the Windows directory

only_exec_in_archive: The archive contains only an executable file

static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

pe_overlay: PE file contains overlay