Managed XDR

unknownspf.exe — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
unknownspf.exe
Тип файла
PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Размер файла
539.5 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
5c5bc28e1d9ec740cfb90732335f4d6f87a088a2
SHA256
5034e54cad957a00e7fd8bae10d4bacd7443d19fa0d6c06c8ec5acb494beb815
MD5
727444e7e87aa482b7a21404f867cf0a

Сигнатуры

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1027.002 packer_vmprotect: Executable file is likely compressed using VMProtect
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1027.002 packer_entropy: Probably contains compressed or encrypted data

Discovery

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)

Other

yara_rules: Static rules
static_pe_anomaly: The PE file structure contains anomalies
require_administrator: Requests administrator privileges
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
message_box: Displays a message
test_check_service: Starts services
dotnet_use_suspicious_functions: Dotnet program potentially uses suspicious functions/modules
dotnet_downloader_possible_network_problem: Dotnet program possibly has network problem