Dear Friends, On the Amunet forum, we aggregating and posting data from more than a hundreds different sources, and we will also tell you about new high sensitive leaks and news in the IT and information security.
Process InjectionT1055
System process connects to network (likely due to code injection)
Injects a PE file into a foreign processes
Writes to foreign memory regions
Software PackingT1027.002
Binary may include packed or crypted data
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)
MasqueradingT1036
Drops PE files with benign system names
Creates files inside the user directory
Process InjectionT1055
System process connects to network (likely due to code injection)
Injects a PE file into a foreign processes
Writes to foreign memory regions
TimestompT1070.006
Binary contains a suspicious time stamp
Deobfuscate/Decode Files or InformationT1140
.NET source code contains calls to encryption/decryption functions
Detected an attempt to pull out some data from the binary image
Virtualization/Sandbox EvasionT1497
Contains medium sleeps (>= 30s)
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Disable or Modify ToolsT1562.001
Adds a directory exclusion to Windows Defender
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Creates guard pages, often used to prevent reverse engineering and debugging
Process DiscoveryT1057
Queries a list of all running processes
The process has tried to detect the debugger probing the use of page guards.
The process attempted to detect a running debugger using common APIs
System Information DiscoveryT1082
Queries the cryptographic machine GUID
Reads software policies
Queries process information (via WMI, Win32_Process)
Queries the volume information (name, serial number etc) of a device
File and Directory DiscoveryT1083
Get common file path
Check if file exists
Enumerates the file system
Reads ini files
Virtualization/Sandbox EvasionT1497
Contains medium sleeps (>= 30s)
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Security Software DiscoveryT1518.001
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.