Managed XDR

vtdl_nrkhns67 — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_nrkhns67
Тип файла
RFC 822 mail, ASCII text, with CRLF line terminators
Размер файла
19.4 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
7d3577901f06dea15af408c87c55e364179757dc
SHA256
bac8d2b426d81b4b2ffdb29bbe2b9a0ed246e5650ab23be216bc6b1775cbf46d
MD5
0a1a1bde6367d854b62479cbb2535656

Сигнатуры

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059 powershell_cmd_longcommandline: Suspiciously long commandline
T1059.001 suspicious_process: Spawns a suspicious process
T1059.005 obfuscated_vbs: Detected obfuscated VBS

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070 stealth_window: A process created a hidden window
T1027 obfuscated_vbs: Detected obfuscated VBS
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Command and Control

T1102.003 cloud_google: Connects to cloud services of Google (potentially for malicious payload delivery)

Other

yara_rules: Static rules
modifies_certs: Attempts to generate or modify system certificates
no_graphical_activity: No graphic activity
get_policy_info: Retrieves information about a Policy object
checktokenmembership: Checks user token with CheckTokenMembership call