Managed XDR

sendto.exe — malware analysis report

File info

Filename
sendto.exe
File type
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File size
233.8 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
42518f4947a670182e0d004986747badd250a0d7
SHA256
766431723961f4d53c620d77c2e88f0219c35350405d71e5ec656b55788fef44
MD5
30cf9b36f0dca3794cf456258b01d7dd

Signatures

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1179 hooked_api: Intercepts API functions

Privilege Escalation

T1055.012 injection_runpe: Injects code into another process
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1179 hooked_api: Intercepts API functions
T1055 sets_debug_registers: Sets debug registers for a thread in a different process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 sets_privilegies_via_rtladjustprivilege: Sets process privilege via RtlAdjustPrivilege
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.012 injection_runpe: Injects code into another process
T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1070.004 deletes_self: Moves to different location or removes the original executable file
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1055 sets_debug_registers: Sets debug registers for a thread in a different process
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 sets_privilegies_via_rtladjustprivilege: Sets process privilege via RtlAdjustPrivilege
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1179 hooked_api: Intercepts API functions
T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Command and Control

T1071 network_irc: Connects to the IRC server, probably a botnet part
T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
suspicious_process_network: Unusual process network activity detected
dns_without_resolve: DNS query without a response
dead_host: Connects to IP addresses that do not respond to requests
network_ftp: Performs FTP requests
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
origin_langid: Unconventional language of the executable file
pe_overlay: PE file contains overlay
open_winlogon_process: Trying to open winlogon process