Managed XDR

vtdl_1742121343_rwcdjr_v (Ryuk, Tinba) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1742121343_rwcdjr_v
Тип файла
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Размер файла
124.5 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
4b239314c34be82f62184aa1032d8be9ea704ce2
SHA256
fe3b306f8c194c3a0f831b80e9e31f4ff61fcc3b3033346f7cfd6aebc77ba2d1
MD5
1a2bb72d0377a9b1488c0ce78c0e5150

Вредоносное ПО

  • Ryuk
  • Tinba

Сигнатуры

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1222 icacls: May obtain or change Discretionary access control lists (DACLs)
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1552 infostealer_browser: Retrieves personal information from local Internet browsers
T1503 infostealer_browser: Retrieves personal information from local Internet browsers
T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Collection

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Impact

T1486 ransomware_files: Ransomware indicators detected Ryuk (creates keys and the instruction on how to unlock the files)
T1486 ransomware_files_2: Ransomware(s) Ryuk indicators detected (creates keys and the instruction on how to unlock the files)

Other

yara_rules: Static rules
ryuk: Detected Ryuk ransomware
no_graphical_activity: No graphic activity
break_limit_exceeded: Warning: function calls limit has been exceeded

Похожие отчёты