Managed XDR

c-users-user-appdata-local-temp-p.hta — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
c-users-user-appdata-local-temp-p.hta
Тип файла
MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon, Archive, ctime=Sun Jan 15 10:30:00 2023, mtime=Tue Jun 20 14:00:00 2023, atime=Fri Mar 10 08:45:00 2023, length=0, window=hide
Размер файла
3.6 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
df829164c7eb09ba38794f2ed3580ee9786a81ab
SHA256
91c3fc5ba8f9ec71e431cd8201375f6caee18212bd53054389835de61abe25b8
MD5
a953ed44ad175976a605ab9f93a9d011

Сигнатуры

Execution

T1204 suspicious_lnk: LNK file with suspicious content
T1059.003 suspicious_process: Spawns a suspicious process
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 executes_dropped_cmd: Executes dropped batch files
T1059.003 url_cmdline: Cmdline of process contains URL
T1059.003 suspicious_batch: Suspicious batch

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 suspicious_cmdline: Executes a suspicious command
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1070 stealth_window: A process created a hidden window
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1082 has_wmi: Executes one or several WMI requests
T1057 has_wmi: Executes one or several WMI requests
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1082 fingerprint_to_file: Collects data about system and user and writes it to a text file

Command and Control

T1105 cmdline_curl: Uses curl utility for network data transferring
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

network_bind: Starts servers listening at None
creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
yara_rules: Static rules
Managed XDR