Managed XDR

jnpeipgollcj9jg4e6h94pjk7vf6ggg99nn7ogg1 — malware analysis report

File info

Filename
jnpeipgollcj9jg4e6h94pjk7vf6ggg99nn7ogg1
File type
SMTP mail, ASCII text, with very long lines, with CRLF line terminators
File size
788.7 KB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
c7ab76abffb1d77061fad762841be33ec4f6d794
SHA256
7c285166c56073c690853fbc75c35f9ca7c6cbf2d46b315371d4fb8260e9101c
MD5
be429aac84399236a776370c1fc92e9c

Signatures

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
create_rpc_bindings: Creates RPC connection
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
get_policy_info: Retrieves information about a Policy object