20250702_fp_100_24.eml | Group-IB MDP Reports

Managed XDR

Group-IB MDP Report

File info

Filename: 20250702_fp_100_24.eml

File Type: UTF-8 Unicode text

File Size: 1.9 MB

Env info

w10/x86 en

Hashes

SHA1: 1b7fcd78c51137beffe7f87c4ade95297cfc3935

SHA256: 4d98f74bc80411c04a5a2679494160ecf68767697f25c875cd65e17a8df84f1c

MD5: fbe9f157f30d33d9039a02cdfbe1a2e6

Malwares

CloudEyE

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059 nsis_suspicious_filenames: Nsis contains files with suspicious names

T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Privilege Escalation

T1055.012 injection_runpe: Injects code into another process

T1055.004 injection_ntqueueapcthread: Injects into another process using NtQueueApcThread

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1045 guloader_behaviour2: Cloudeye/GuLoader specific behaviour has been detected

T1055.012 injection_runpe: Injects code into another process

T1036.001 invalid_authenticode: Digital signature of one or several attached files has failed to be verified

T1055.004 injection_ntqueueapcthread: Injects into another process using NtQueueApcThread

T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1027.002 nsis_archive: One of the packages is NSIS archive

T1027.002 nsis_suspicious_filenames: Nsis contains files with suspicious names

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1480 system_default_lang_id_present: Checks the system language

Discovery

T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1518 locates_browser: Attempts to identify where browsers are installed

Other

yara_rules: Static rules

creates_exe: Creates executable files in the file system

runs_utility_without_cmdline: Runs system utility without arguments (non-typical usage)

copies_self: Creates a copy of itself

unexpected_exception: Unexpected exception

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

checktokenmembership: Checks user token with CheckTokenMembership call

pe_overlay: PE file contains overlay

next report: fe19501e-f201-42eb-85fc-58aefc9cca44

previous report: cef93f3e-6d60-4ef8-91d2-bd4aa533e445

Managed XDR