Managed XDR

ne-zha-2-mo-tong-nao-hai.zip — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
ne-zha-2-mo-tong-nao-hai.zip
Тип файла
Zip archive data, at least v1.0 to extract
Размер файла
11 MB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
a21d4754df6c616106198d90c32836da56652df6
SHA256
cf45d1f6cc291ade76418a13c2879f01d0acd0a89fdf7af8c7aaa1174109ab70
MD5
24601d54c643d2cca2abc54744b4a530

Сигнатуры

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1059.001 suspicious_process: Spawns a suspicious process
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036.001 invalid_authenticode: Digital signature of the executable file has failed the verification
T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_vbox_acpi: Detects virtualization using ACPI
T1497.001 antivm_vbox_keys: Detects VirtualBox through the presence of a registry key
T1497.001 antivm_hyperv_keys: Attempts to detect Hyper-V
T1497.001 antivm_vmware_keys: Detects VMware through the presence of a registry key
T1497.001 antiemu_wine: Checks for Wine software
T1497.001 antivm_generic_ide: Checks the presence of IDE drives in the registry, possibly for anti-virtualization
T1497.001 antivm_generic_system: Checks the system manufacturer, possibly for anti-virtualization
T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1562.001 windows_defender_add_exclusion: Adds a path to Microsoft Defender exclusion list

Discovery

T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_vbox_acpi: Detects virtualization using ACPI
T1497.001 antivm_vbox_keys: Detects VirtualBox through the presence of a registry key
T1497.001 antivm_hyperv_keys: Attempts to detect Hyper-V
T1497.001 antivm_vmware_keys: Detects VMware through the presence of a registry key
T1497.001 antiemu_wine: Checks for Wine software
T1497.001 antivm_generic_ide: Checks the presence of IDE drives in the registry, possibly for anti-virtualization
T1497.001 antivm_generic_system: Checks the system manufacturer, possibly for anti-virtualization
T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1057 has_wmi: Executes one or several WMI requests
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1497.001 antivm_queries_computername: Retrieves the computer name
T1082 fingerprint_to_file: Collects data about system and user and writes it to a text file

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names
create_rpc_bindings: Creates RPC connection
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
pe_overlay: PE file contains overlay