Managed XDR

firefox-installer.lnk — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
firefox-installer.lnk
Тип файла
MS Windows shortcut, Item id list present, Has Working directory, Has command line arguments, Icon number=0, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hide
Размер файла
936 Bytes
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
4033b2d6b7b4a2b42818ab9e24357f9f9543ed5e
SHA256
dd4c7f5aae404816cf447b8090b620c1a1971a35c6791116aa3f871f00ae011b
MD5
620a4c9d81168fcef382058d8573a249

Сигнатуры

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1047 has_wmi: Executes one or several WMI requests
T1059.003 suspicious_process: Spawns a suspicious process
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 suspicious_cmdline: Executes a suspicious command
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1552 infostealer_browser: Retrieves personal information from local Internet browsers
T1503 infostealer_browser: Retrieves personal information from local Internet browsers
T1552.001 infostealer_bitcoin: Attempts to obtain access to Bitcoin/ALTCoin wallets
T1555.003 cookie_files: Accesses cookie files
T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager
T1552 cookie_files: Accesses cookie files

Discovery

T1087 has_wmi: Executes one or several WMI requests
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Command and Control

T1568.002 dga_domains: Connects to DGA domains
T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

suricata_alert: Malicious traffic detected
modifies_certs: Attempts to generate or modify system certificates
suspicious_process_network: Unusual process network activity detected
dns_without_resolve: DNS query without a response
dns_tld_cc: Connects to TLD .CC, possibly malware
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
writes_data: Writes big amount of data to disk
js_suspicious: Suspicious javascript
yara_rules: Static rules
Managed XDR