Managed XDR

t-diag.exe — malware analysis report

File info

Filename
t-diag.exe
File type
PE32 executable (GUI) Intel 80386, for MS Windows
File size
13.9 MB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
bdaf7f9a8c897ae4eb5d5a287f53cffbcbcbfe6e
SHA256
638f9fa2af638327965e3d99ece3f75f2ac758831ced6b78e9edde74cd1220e4
MD5
9a05d98cf316e16d7efd3be67bb93ec6

Signatures

Execution

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 packer_themida: Themida packer signatures detected
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497.001 antivm_network_adapters: Checks NIC addresses
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1082 checks_firmware: Attempts to read firmware information (potentially for evasion)

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests

Other

modifies_certs: Attempts to generate or modify system certificates
dns_without_resolve: DNS query without a response
unexpected_exception: Unexpected exception
static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
net_dumps_in_native: .Net dumps have been found in native PE
message_box: Displays a message
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call