Managed XDR

c-users-user-appdata-local-907159531.exe (Hiloti) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
c-users-user-appdata-local-907159531.exe
Тип файла
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Размер файла
1.2 MB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
f9ad06e5448fd7bae4287e4a7cee1d19100bac27
SHA256
7bd0dd39253126ec75c5333a2afba27f6d2b5ffee0f6cd1b7e729b17d1998250
MD5
671c7789559ffdcbeabd6bab03332ef1

Вредоносное ПО

  • Hiloti

Сигнатуры

Execution

T1059.003 executes_dropped_cmd: Executes dropped batch files

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1480 system_default_lang_id_present: Checks the system language
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1027.001 static_overlay_padding: Overlay contents padding
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1070 stealth_window: A process created a hidden window
T1497.001 antivm_queries_computername: Retrieves the computer name

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497.001 antivm_queries_computername: Retrieves the computer name
T1135 server_share_info: Retrieves information about each shared resource on a server
T1082 fingerprint_to_file: Collects data about system and user and writes it to a text file

Command and Control

T1071.001 network_http: Performs HTTP requests
T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl

Impact

T1486 ransomware_windows_possible: Ransomware indicators detected (possible ransom window creation)

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
copies_self: Creates a copy of itself
create_rpc_bindings: Creates RPC connection
message_box: Displays a message
error_drawtext: An error occured while executing the file
get_policy_info: Retrieves information about a Policy object
pe_overlay: PE file contains overlay

Похожие отчёты