Managed XDR

raid-kostada2-outputs_...b510e4240257b4d0eee.oa (Smoke Bot) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
raid-kostada2-outputs_reduced_dataset-mab_1772715072-minimal-bazaar.2023.07__heur-trojan-spy.win32.windigo_windigo.gen-9e4e8a3c08c71e24a113731d9b3c6221c79a0d82e9ab0b510e4240257b4d0eee.oa
Тип файла
PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла
1.2 MB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
96233b9870f644e77455239a35a261c7a8a714da
SHA256
a7ab98874647d6351ac9b1ffa7f77d4899c80c88c5be52c291451a5fd9538dc5
MD5
f4c6f489244cbb4e6520da2f0e1a72ef

Вредоносное ПО

  • Smoke Bot

Сигнатуры

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1059.007 bad_js: Suspicious Javascript file

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070.004 deletes_self: Moves to different location or removes the original executable file
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1564.001 stealth_file: Creates hidden or system files
T1497.001 antivm_generic_ide: Checks the presence of IDE drives in the registry, possibly for anti-virtualization
T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_generic_ide: Checks the presence of IDE drives in the registry, possibly for anti-virtualization
T1497.001 antivm_generic_scsi: Attempts to detect virtualization by SCSI Disk Identifier
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Command and Control

T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

suricata_alert: Malicious traffic detected
yara_rules: Static rules
suspicious_process_network: Unusual process network activity detected
origin_langid: Unconventional language of the executable file
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
pe_overlay: PE file contains overlay
js_suspicious: Suspicious javascript

Похожие отчёты

Managed XDR