Managed XDR

20250728_fp_100_85.eml — malware analysis report

File info

Filename: 20250728_fp_100_85.eml
File type: UTF-8 Unicode text
File size: 648.8 KB
First seen: 2025-07-29 12:38
Last seen: 2025-07-29 12:38

Environment

win7/x86 en

Hashes

SHA1: 42abc382ed96d024571e4783fc73054a53309add
SHA256: 42e0c97d127cb1cbd5cad401b108db237fa07054f3e35024055b487f28eafeb5
MD5: f94377b6357cf5b225ae94c6fa01cdef

Signatures

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

T1059.003 suspicious_batch: Suspicious batch

T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1055.012 injection_runpe: Injects code into another process

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.012 injection_runpe: Injects code into another process

T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed

Command and Control

T1102.003 cloud_google: Connects to cloud services of Google (potentially for malicious payload delivery)

T1105 lolbin_extrac32: Download or Copy file with Extrac32

T1071.001 network_http: Performs HTTP requests

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

yara_rules: Static rules

unpacker_wrong_base: Possibly, an error occured in the file unpacker

modifies_certs: Attempts to generate or modify system certificates

dbatloader_behaviour: DBatLoader/ModiLoader behaviour

creates_exe: Creates executable files in the file system

executes_dropped_exe: Executes dropped exe files

process_crashed: One of the processes has failed

no_graphical_activity: No graphic activity

creates_suspended_process: Creates suspended process

get_policy_info: Retrieves information about a Policy object

creates_in_programdata: Creates files in the ProgramData directory

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

pe_overlay: PE file contains overlay

enables_execute_access_on_stack: Enable execution access on stack