Managed XDR

b6a59a69c0000.000000000001.0002.eml — malware analysis report

File info

Filename
b6a59a69c0000.000000000001.0002.eml
File type
HTML document, ASCII text, with very long lines, with CRLF line terminators
File size
767 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
06416c2f8b0312174b4e3cd2810f3eef8288184b
SHA256
2a35a30847fff73b2de26854097a7a36b0fd6406ac5404fab2dc81b8b9f7ef89
MD5
6f4b0c8e2651fcda1babb5584ffbcff5

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious PowerShell process
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests
T1059.001 suspicious_process: Spawns a suspicious process
T1059.003 suspicious_batch: Suspicious batch

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1082 has_wmi: Executes one or several WMI requests
T1057 has_wmi: Executes one or several WMI requests
T1518 locates_browser: Attempts to identify where browsers are installed
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

network_bind: Starts servers listening at None
creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services