Managed XDR

2.exe (Egregor) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
2.exe
Тип файла
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Размер файла
151 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
3706bf597d1b424819dd2495bcfb56b7a5c29a86
SHA256
7a6558ed6b8ec301c7407851c6b502e5f9c1fb91d201f1a43e911b64ce2b1b78
MD5
98864f80ffe0dba08323215f1bd192e9

Вредоносное ПО

  • Egregor

Сигнатуры

Execution

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1027.001 static_overlay_padding: Overlay contents padding
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1480 system_default_lang_id_present: Checks the system language

Discovery

T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1518.001 wmi_check_av: Uses WMI to check for installed antivirus software
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Other

yara_rules: Static rules
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
message_box: Displays a message
error_drawtext: An error occured while executing the file
creates_in_programdata: Creates files in the ProgramData directory
pe_overlay: PE file contains overlay

Похожие отчёты