Managed XDR

vtdl_1762348496_iy9gl9iy — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1762348496_iy9gl9iy
Тип файла
CDFV2 Microsoft Outlook Message
Размер файла
7.4 MB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
7392b99fd19303d5be7c866fd865939fed22f8ca
SHA256
d195fa8224642c67b28fe3536c647f69b3a987ca6dca979cb23247649c1a5bb7
MD5
54685aa59fb5a907e23a456ea4748ecd

Сигнатуры

Execution

T1204.002 mimics_extension: Attempts to mimic the file extension

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1055 injection_failed: The attempt to inject into a process has failed
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1036 mimics_extension: Attempts to mimic the file extension
T1564.001 stealth_file: Creates hidden or system files
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1055 injection_failed: The attempt to inject into a process has failed
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization

Other

copies_self: Creates a copy of itself
opens_document: Opens office documents
creates_exe: Creates executable files in the file system
creates_doc: Creates (office) documents in the file system
process_crashed: One of the processes has failed
dotnet_suspicious_resources_names: Dotnet program has suspicious resources names
has_pdb: This executable file has a PDB path
dotnet_suspicious_module_name: Dotnet program has suspicious module name
creates_suspended_process: Creates suspended process
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
pe_overlay: PE file contains overlay
Managed XDR