Managed XDR

c-users-user-appdata-r...icrosoft-vault-def.jar — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
c-users-user-appdata-roaming-microsoft-vault-def.jar
Тип файла
Zip archive data, at least v1.0 to extract
Размер файла
5.2 MB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x64 en

Хеши

SHA1
ba8405bf4526e3550ff4d91ea0a09badb3381092
SHA256
035c22b0167d3b8f63699e37bd8bc48e805308752238e9b0ccf26fcce0bed838
MD5
99503d0942c58af3428743457266e7ac

Сигнатуры

Execution

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1082 reads_csrss: Attempts to read csrss.exe memory
T1082 recon_systeminfo: Collects system information (ipconfig, netstat, systeminfo, net)

Command and Control

T1071.001 network_http: Performs HTTP requests
T1102.003 cloud_amazonaws: Connects to cloud services of Amazon AWS (potentially for malicious payload delivery)

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
ip_domains: Identifies an IP address using external resources
creates_exe: Creates executable files in the file system
telegram_api: Telegram Messenger API is used
creates_in_programdata: Creates files in the ProgramData directory