Managed XDR

vtdl_1738672923_1b5vfgir (Tinba, Ryuk) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1738672923_1b5vfgir
Тип файла
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Размер файла
131 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
12526566d0edd7e5765952d44b8f0dd79008c518
SHA256
04c1b768c40190441caedcbcaf69af709e509f34705b23b2ec5729822f5d834c
MD5
785892123e4c7ff7ca1ffd2b6ab6a0f9

Вредоносное ПО

  • Tinba
  • Ryuk

Сигнатуры

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036 copies_utilities: Copies and runs system utility with different name
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1564.001 stealth_file: Creates hidden or system files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1222 icacls: May obtain or change Discretionary access control lists (DACLs)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1070 stealth_window: A process created a hidden window

Discovery

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1518 locates_browser: Attempts to identify where browsers are installed

Collection

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Impact

T1486 ransomware_files: Ransomware indicators detected Ryuk (creates keys and the instruction on how to unlock the files)
T1486 ransomware_files_2: Ransomware(s) Ryuk indicators detected (creates keys and the instruction on how to unlock the files)

Other

yara_rules: Static rules
ryuk: Detected Ryuk ransomware
executes_dropped_exe: Executes dropped exe files
creates_in_windows: Creates files in the Windows directory
creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
get_policy_info: Retrieves information about a Policy object

Похожие отчёты