Managed XDR

1784012095-13360417ee4a2380001-kffd4e.eml — malware analysis report

File info

Filename
1784012095-13360417ee4a2380001-kffd4e.eml
File type
RFC 822 mail, ISO-8859 text, with CRLF line terminators
File size
10.8 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
eb8ff8366616cb388901b94e7a16c52b045f8117
SHA256
9794156333887c12d7e4b786f301bb4619ccbf6fa43322afe80b2f479ab0f4ff
MD5
071a74b8aa71e91897d169f732e4a3a5

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious PowerShell process
T1059.001 suspicious_process: Spawns a suspicious process
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497 debugs_self: Creates a process and debugs it
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497 debugs_self: Creates a process and debugs it
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1082 has_wmi: Executes one or several WMI requests
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Other

network_powershell: PowerShell process network connection detected
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card