Managed XDR

c-users-user-local-set...cation-data-cftmon.exe (DNS Sinkhole) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
c-users-user-local-settings-application-data-cftmon.exe
Тип файла
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Размер файла
313.1 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x86 en

Хеши

SHA1
264197de185d62e8e898add5d61bdc39ee98ce26
SHA256
1b6701b4e8eb00bbec8a296cd7b3399ba11a1dd225af6e6afac3e900cde257e4
MD5
ee5e16ba2e88a64af46383645c942b43

Вредоносное ПО

  • DNS Sinkhole

Сигнатуры

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1547.004 persistence_autorun: Makes itself run automatically on Windows startup
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1547.004 persistence_autorun: Makes itself run automatically on Windows startup
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 packer_polymorphic: Creates a modified copy of itself
T1574.011 persistence_services: Modifies Services registry key
T1027.002 packer_upx: The executable file is compressed using UPX
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files

Discovery

T1057 process_interest: Enumerates processes
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

Command and Control

T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl

Other

suricata_alert: Malicious traffic detected
yara_rules: Static rules
creates_exe: Creates executable files in the file system
copies_self: Creates a copy of itself
network_bind: Starts servers listening at 0.0.0.0:28668, 0.0.0.0:25918
unexpected_exception: Unexpected exception
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay

Похожие отчёты