Managed XDR

backup-message-10.149.....133_9045-14593402.eml — malware analysis report

File info

Filename
backup-message-10.149.147.133_9045-14593402.eml
File type
RFC 822 mail, ASCII text, with CRLF line terminators
File size
1.6 MB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
8d39412b2ae8202f2651c61e3dc8bd11745b7cee
SHA256
9232bcf941e0071f0c33ccaf4419cbebe72da7f303dddef9e5bcae0fc6f1ac25
MD5
089c0cc2820cdfcdb57be7b7ed9cb264

Signatures

Execution

T1204.002 mimics_extension: Attempts to mimic the file extension

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036 mimics_extension: Attempts to mimic the file extension
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
process_crashed: One of the processes has failed
no_graphical_activity: No graphic activity
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
dotnet_suspicious_module_name: Dotnet program has suspicious module name
Managed XDR