Managed XDR

e15e7f39b11390148ce2606121eeb7f2.virus (BlackMatter, Lockbit) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
e15e7f39b11390148ce2606121eeb7f2.virus
Тип файла
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Размер файла
152 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
72979615cb7e2897e64c26d25c5aadd4f29a11db
SHA256
b73bc7b54e3b3c219ae55f6190b564427c6aadbcfbe560f178dea4c2350cef81
MD5
e15e7f39b11390148ce2606121eeb7f2

Вредоносное ПО

  • BlackMatter
  • Lockbit

Сигнатуры

Persistence

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1055.012 injection_runpe: Injects code into another process
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 sets_privilegies_via_rtladjustprivilege: Sets process privilege via RtlAdjustPrivilege
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1055.012 injection_runpe: Injects code into another process
T1562.001 disables_security: Disables Windows Security options
T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1574.011 persistence_services: Modifies Services registry key
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 sets_privilegies_via_rtladjustprivilege: Sets process privilege via RtlAdjustPrivilege
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070 stealth_window: A process created a hidden window
T1070.004 self_removal_command: Executes command to delete itself
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Discovery

T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service
T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1518 locates_browser: Attempts to identify where browsers are installed

Collection

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Impact

T1489 stops_service: Stops Windows services
T1486 modifies_files2: Cryptolocker indicators detected (50 or more files are modified)
T1486 modifies_files: Cryptolocker indicators detected (renamed 50 or more files)
T1489 service_control_stop: Stops services via ControlService

Other

yara_rules: Static rules
lockbit: Detected ransomware Lockbit
executes_dropped_exe: Executes dropped exe files
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
message_box: Displays a message
error_drawtext: An error occured while executing the file
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call

Похожие отчёты