Managed XDR

nuevo-orden.msg (STRRAT) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
nuevo-orden.msg
Тип файла
CDFV2 Microsoft Outlook Message
Размер файла
293 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
644331cdc797155157249600709666b2594c4ffc
SHA256
eb2997ec0dca9800162c21331d62cd578423c01cad4078d216716a07f9500bdc
MD5
f1303e2d7c4e350e0659ebf6b067f602

Вредоносное ПО

  • STRRAT

Сигнатуры

Execution

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network
T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)
T1071.001 network_http: Performs HTTP requests

Other

suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
ip_domains: Identifies an IP address using external resources
creates_in_programdata: Creates files in the ProgramData directory

Похожие отчёты