Managed XDR

c-users-cfbbwbv.exe — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
c-users-cfbbwbv.exe
Тип файла
PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла
4.8 MB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
69a8365d9a5e55b84219948cae906d36eb75b2ca
SHA256
a10921944cd8b7402fa05e7edd32c8d0c64875614c866aa13f540e60d995c3b6
MD5
516816a4df59de9c2bef316ba96e0c0a

Сигнатуры

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1543.003 creates_service: Creates a service, that will start automatically

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1543.003 creates_service: Creates a service, that will start automatically
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Collection

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
network_bind: Starts servers listening at None
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
pe_overlay: PE file contains overlay
Managed XDR