Managed XDR

c-windows-hjch5i.exe — malware analysis report

File info

Filename
c-windows-hjch5i.exe
File type
PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
File size
2.4 MB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
a761f9282f63c6a4dc2e4b6480e43512e35c4602
SHA256
a4012358b18920f29509210e1262f744bdbc8c4534b77d09c6898564d3269d00
MD5
af906777fcd0a77642eccb906abe2b66

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562.001 stops_security_center: Stops Security Center
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1070.001 wevtutil_clear_log: Clears event log using wevtutil
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_queries_computername: Retrieves the computer name
T1027.002 packer_entropy: Probably contains compressed or encrypted data

Discovery

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_queries_computername: Retrieves the computer name

Impact

T1489 stops_security_center: Stops Security Center
T1490 wbadmin_delete_backup: Removes system backup copies using wbadmin utility
T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies
T1489 net_stop: Stops services through the use of net stop

Other

ransomware_shadowcopy: Removes volume shadow copies
creates_many_processes: Spawns a lot of processes (over 70)
ransomware_bcdedit: Runs bcdedit commands specific to ransomware
creates_in_windows: Creates files in the Windows directory
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
yara_rules: Static rules