![]() ![]() Uses Microsoft's Enhanced Cryptographic Provider Sample file is different than original file name gathered from version info Queries the volume information (name, serial number etc) of a device PE file contains sections with non-standard names May sleep (evasive loops) to hinder dynamic analysis Modifies existing user documents (likely ransomware behavior)Ĭhecks for available system drives (often done to infect USB drives)Ĭontains functionality for execution timing, often used to detect debuggersĬontains functionality to delete servicesĬontains functionality to enumerate running servicesĬontains functionality to query CPU information (cpuid)Ĭontains functionality which may be used to detect a debugger (GetProcessHeap)Ĭreates a DirectInput object (often for capturing keystrokes)įound a high number of Window / User specific system calls (may be a loop to detect user behavior)įound evasive API chain checking for process token information Sigma detected: Delete Shadow Copy Via PowershellĬontains functionality to detect sleep reduction / modificationsĬontains functionalty to change the wallpaperĮncrypted powershell cmdline option found Multi AV Scanner detection for submitted file Antivirus / Scanner detection for submitted sample ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |