Managed XDR

vtdl_1758126381_1o1hix9r — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1758126381_1o1hix9r
Тип файла
Microsoft Cabinet archive data, 934522 bytes, 4 files
Размер файла
912.6 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x64 en

Хеши

SHA1
ac284c90dbc3c6decc7192dbaffadb9c53503ed4
SHA256
1bdd59c62ee3ae232405e6278301ecd96c66bdd2242f7c6a3cdb644783612691
MD5
a1cab760252732fee640868839713020

Сигнатуры

Execution

T1059.003 suspicious_batch: Suspicious batch

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1140 unpacking_utilities: Uses Windows utilities to unpack data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Credential Access

T1552.001 infostealer_bitcoin: Attempts to obtain access to Bitcoin/ALTCoin wallets

Discovery

T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)
T1016.001 system_network_configuration_discovery: System network configuration discovery detected
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1135 server_share_info: Retrieves information about each shared resource on a server

Collection

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Impact

T1486 modifies_files2: Cryptolocker indicators detected (100 or more files are modified)
T1486 modifies_files: Cryptolocker indicators detected (renamed 100 or more files)
T1486 ransomware_message: Ransomware indicators detected (possible ransom message creation)
T1489 service_control_stop: Stops services via ControlService

Other

create_rpc_bindings: Creates RPC connection
test_check_service: Starts services
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay
yara_rules: Static rules