Managed XDR

63bf82b866db2f63264ff0...1762547475421909141.gz (Mydoom) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
63bf82b866db2f63264ff03dcb086d8b4aec97b8fa946ac8825a2c0bab4f0239-1762547475421909141.gz
Тип файла
gzip compressed data
Размер файла
42.1 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x86 en

Хеши

SHA1
c0fbcfe85b5a2bd8e05af88d2cd21e969bff973a
SHA256
ddb3213e326f0ad7c540b441c85ff1d1fc0a6b56fcf9c3bb92e39565dae3545c
MD5
701ce456009cddc1d4453f2b817c0908

Вредоносное ПО

  • Mydoom

Сигнатуры

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1564.001 stealth_file: Creates hidden or system files
T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1027.002 packer_polymorphic: Creates a modified copy of itself
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Discovery

T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1016 get_hostname: Attempts to get hostname

Command and Control

T1568.002 dga_domains: Connects to DGA domains
T1071.001 network_http: Performs HTTP requests

Other

suricata_alert: Malicious traffic detected
executes_dropped_exe: Executes dropped exe files
creates_in_windows: Creates files in the Windows directory
copies_self: Creates a copy of itself
network_bind: Starts servers listening at 0.0.0.0:3159
creates_exe: Creates executable files in the file system
dns_without_resolve: DNS query without a response
only_exec_in_archive: The archive contains only an executable file
process_crashed: One of the processes has failed
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
test_check_service: Starts services
writes_data: Writes big amount of data to disk
yara_rules: Static rules

Похожие отчёты