Managed XDR

payload.rar-filename-utf-8-payload.rar — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
payload.rar-filename-utf-8-payload.rar
Тип файла
Zip archive data, at least v2.0 to extract
Размер файла
573 Bytes
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
5a67e0c449bf6c027406242a44d61950e406a284
SHA256
09040cbbbbf3e108ba4ef3881ae82c56dbcc3972399c085438addbe1e1892c81
MD5
ca8087ca5e1431dd99dc54ff0a8892bb

Сигнатуры

Execution

T1204.002 mimics_extension: Attempts to mimic the file extension
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Defense Evasion

T1036 mimics_extension: Attempts to mimic the file extension
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1057 has_wmi: Executes one or several WMI requests
T1082 has_wmi: Executes one or several WMI requests
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

yara_rules: Static rules
network_bind: Starts servers listening at None
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services