Managed XDR

c-windows-installer-5ac28e.msi — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
c-windows-installer-5ac28e.msi
Тип файла
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {D26CD6B3-CD6A-4A03-9A54-C92552FCD1DA}, Create Time/Date: Thu Mar 11 21:25:32 2021, Last Saved Time/Date: Thu Mar 11 21:25:32 2021, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Размер файла
628 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
ceca36a7f5174963a8169b3f58340019bd16a818
SHA256
9830a142b78221750d79bfb8f46088101a5e4a28295163f82def6154c72c7624
MD5
725e95684d1694d04b843d2c4a949205

Сигнатуры

Execution

T1569.002 persistence_service: Starts newly created service
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1543.003 creates_service: Creates a service, that will start automatically
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.001 antivm_network_adapters: Checks NIC addresses
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070 stealth_window: A process created a hidden window
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name

Discovery

T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

AteraAgent: AteraAgent application detected
creates_in_windows: Creates files in the Windows directory
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
msi_has_custom_action: MSI file contains custom action
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
yara_rules: Static rules
ce_info: AteraAgent Configuration Data found
valid_authenticode: The digital signature has been verified