Managed XDR

userprofile.exe — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
userprofile.exe
Тип файла
PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла
1.1 MB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
7d770c37ff595bc5f7a8c0eda5f59b7b5979747d
SHA256
9c9d07439f0c1436610adfb3952f3b1177ae427b431236fed4c66671d0b347bf
MD5
e91af822fc60062929eabfea53a275b5

Сигнатуры

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1027.002 packer_enigma: Enigma protector indicators detected
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1082 has_wmi: Executes one or several WMI requests
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

yara_rules: Static rules
ip_domains: Identifies an IP address using external resources
process_crashed: One of the processes has failed
static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names
no_graphical_activity: No graphic activity
net_dumps_in_native: .Net dumps have been found in native PE
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
suricata_alert: Malicious traffic detected