Managed XDR

declaration-data.zip — malware analysis report

File info

Filename
declaration-data.zip
File type
Zip archive data, at least v2.0 to extract
File size
21.3 MB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
17bb11cf03ec789c3e771c1e7acf96bcb436775e
SHA256
aff06a562e86b4af85fe05fc441e7a8e9b91713bedd2fa3a50e81012dd68cb9b
MD5
2f1529e01dd719563603299f109bec88

Signatures

Persistence

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1546 classes_autorun: Registers new extension and adds execution command
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1543.003 persistence_services: Modifies Services registry key
T1574.011 persistence_services: Modifies Services registry key
T1546 classes_autorun: Registers new extension and adds execution command
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1564.001 stealth_file: Creates hidden or system files
T1562 disables_uac: Disable UAC
T1140 decompress_pefile: Unpacks a PE file into memory
T1027.002 decompress_pefile: Unpacks a PE file into memory
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1574.011 persistence_services: Modifies Services registry key
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1222 icacls: May obtain or change Discretionary access control lists (DACLs)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name

Credential Access

T1503 infostealer_browser: Retrieves personal information from local Internet browsers
T1552 infostealer_browser: Retrieves personal information from local Internet browsers
T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files
T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)

Discovery

T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1057 process_interest: Enumerates processes
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name

Collection

T1115 checks_clipboard: Monitors clipboard data
T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)

Other

suricata_alert: Malicious traffic detected
only_exec_in_archive: The archive contains only an executable file
no_graphical_activity: No graphic activity
creates_in_programdata: Creates files in the ProgramData directory
pe_overlay: PE file contains overlay
executes_dropped_exe: Executes dropped exe files
yara_rules: Static rules
Managed XDR