Managed XDR

legal-warning-against-your-company.eml — malware analysis report

File info

Filename
legal-warning-against-your-company.eml
File type
SMTP mail, ASCII text, with CRLF line terminators
File size
100 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
dbc7074b2f714d93ff6b767dc825885ddbb70769
SHA256
85ac8ae918c0da628df6f19f77c9b79307a9449f472c594b31a7bbddf4ac34aa
MD5
39ecd3e474ddc98d1b542ccfd60b8de3

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059 powershell_cmd_longcommandline: Suspiciously long commandline
T1059.001 suspicious_process: Spawns a suspicious process
T1059.005 obfuscated_vbs: Detected obfuscated VBS
T1059.005 bad_vbs: Suspicious VBScript file

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070 stealth_window: A process created a hidden window
T1027 obfuscated_vbs: Detected obfuscated VBS
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Discovery

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Collection

T1560.001 archive_via_utility: Detected archiving data via utility

Command and Control

T1568.002 dga_domains: Connects to DGA domains

Other

dns_without_resolve: DNS query without a response
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
checktokenmembership: Checks user token with CheckTokenMembership call