Managed XDR

payload_1.zip — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
payload_1.zip
Тип файла
Zip archive data, at least v2.0 to extract
Размер файла
1.3 MB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
d0ff0871459c93a234efc1156cbe86f963b0de44
SHA256
3eadad23c3e3bef9ecbd377e913fd50a313d9f1aa090fae247a0010492f12002
MD5
9a3a49ce2e39d9ccce7dd47d476f13d4

Сигнатуры

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name

Discovery

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
only_exec_in_archive: The archive contains only an executable file
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
msi_has_custom_action: MSI file contains custom action
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call