Managed XDR

c-users-user-appdata-l...emp-zor3xd43.j21-2.lnk (Brute Ratel, XWorm) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: c-users-user-appdata-local-temp-zor3xd43.j21-2.lnk
Тип файла: MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=115, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized
Размер файла: 4.8 KB
Первое обнаружение: 2025-11-08 15:14
Последнее обнаружение: 2025-11-08 15:14

Окружение

w10/x86 en

Хеши

SHA1: 6f801682d7135ca8a8e13de4c5c451119062c283
SHA256: 3ef460f3eaeb80d2244cfcab9d12969068acfd8435a506a8d45343b4f6fb3675
MD5: 879eb0dfe716fb07cda6adb481eadb04

Вредоносное ПО

Brute Ratel
XWorm

Сигнатуры

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059.005 bad_vbs: Suspicious VBScript file

T1059.001 suspicious_process: Spawns a suspicious process

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1055 injection_failed: The attempt to inject into a process has failed

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1112 creates_largekey: Saves very large data in the registry, can be used to save the configuration or body of the malware

T1027.004 compiles_code: Compiles C# code

T1497 debugs_self: Creates a process and debugs it

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1055 injection_failed: The attempt to inject into a process has failed

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Discovery

T1497 debugs_self: Creates a process and debugs it

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1518.001 wmi_check_av: Uses WMI to check for installed antivirus software

T1082 has_wmi: Executes one or several WMI requests

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

suricata_alert: Malicious traffic detected

creates_exe: Creates executable files in the file system

suspicious_process_network: Unusual process network activity detected

network_powershell: Powershell process network connection detected

creates_suspended_process: Creates suspended process

writes_data: Writes big amount of data to disk

yara_rules: Static rules