Managed XDR

su-estatus-laboral.eml — malware analysis report

File info

Filename
su-estatus-laboral.eml
File type
HTML document, ASCII text, with very long lines, with CRLF line terminators
File size
12 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
f2a7b78463aa39835064d1efa7c21004bbbba013
SHA256
0655a858d4d65eeaa408d4324ff3a3b56ffb3131129eae628a9dd7dba3687406
MD5
74ae1d8be24a7000c3a2b4c71c7f62ec

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059 powershell_cmd_longcommandline: Suspiciously long commandline
T1059.001 suspicious_process: Spawns a suspicious process
T1059.005 obfuscated_vbs: Detected obfuscated VBS
T1059.005 bad_vbs: Suspicious VBScript file

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070 stealth_window: A process created a hidden window
T1027 obfuscated_vbs: Detected obfuscated VBS
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
no_graphical_activity: No graphic activity
get_policy_info: Retrieves information about a Policy object
checktokenmembership: Checks user token with CheckTokenMembership call