Managed XDR

lime-crypter.exe — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
lime-crypter.exe
Тип файла
PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла
309.5 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
6d923b064f5f28ee2656cc6843f06790b0e4cdee
SHA256
8726999251b2104d918ceb43bd2cd471eea2ed7853e511d563bf7e6f181ec52c
MD5
3521d32d480f6b2ce1e66243b84fc31b

Сигнатуры

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.001 antivm_network_adapters: Checks NIC addresses
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Discovery

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1082 has_wmi: Executes one or several WMI requests
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

yara_rules: Static rules
ip_domains: Identifies an IP address using external resources
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
process_crashed: One of the processes has failed
unexpected_exception: Unexpected exception
no_graphical_activity: No graphic activity
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
suricata_alert: Malicious traffic detected