Managed XDR

vtdl_1759760918_4gyhshx3 — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1759760918_4gyhshx3
Тип файла
SMTP mail, UTF-8 Unicode text, with CRLF line terminators
Размер файла
22.1 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
6410d8edb89f3aa52ee24b37f66c8fd579fe3c85
SHA256
b193978c04e1538a858bcaf08bc2aaa8773b526e1bca9106c9e57d20deefffc9
MD5
0e888ea37bcbca90e09f6ae71e7c7c7b

Сигнатуры

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests
T1059.001 suspicious_process: Spawns a suspicious process
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1070 stealth_window: A process created a hidden window
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1057 has_wmi: Executes one or several WMI requests
T1082 has_wmi: Executes one or several WMI requests
T1082 reads_csrss: Attempts to read csrss.exe memory

Command and Control

T1071.001 network_http: Performs HTTP requests

Other

modifies_certs: Attempts to generate or modify system certificates
unexpected_exception: Unexpected exception
checktokenmembership: Checks user token with CheckTokenMembership call
suricata_alert: Malicious traffic detected