Managed XDR

house-photos-and-detailed-address.z — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: house-photos-and-detailed-address.z
Тип файла: Zip archive data, at least v2.0 to extract
Размер файла: 11.5 MB
Первое обнаружение: 2026-06-05 09:59
Последнее обнаружение: 2026-06-17 16:43

Окружение

w10/x64 en

Хеши

SHA1: 445f18c0c84fb42a45c3c45b9f4bb971307a9de5
SHA256: b1fec858a06ca9fef48c6f6d557a3bd94c189ad5cbfd0d0bfe401da66f8fb05c
MD5: 1188e048addc22bce728d9dbf342bfc7

Сигнатуры

Execution

T1569.002 persistence_service: Starts newly created service

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1562.001 amsi_patching_attempt: Attempts to patch Microsoft AMSI protection (amsi.dll)

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1057 has_wmi: Executes one or several WMI requests

T1057 process_interest: Enumerates processes

T1082 has_wmi: Executes one or several WMI requests

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

only_exec_in_archive: The archive contains only an executable file

network_bind: Starts servers listening at None

no_graphical_activity: No graphic activity

creates_suspended_process: Creates suspended process

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

pe_overlay: PE file contains overlay

yara_rules: Static rules

Managed XDR