Managed XDR

banned-20260618t095220-01540-20 — malware analysis report

File info

Filename: banned-20260618t095220-01540-20
File type: SMTP mail, ASCII text
File size: 170.6 KB
First seen: 2026-06-20 23:25
Last seen: 2026-06-20 23:25

Environment

w11/x64 en

Hashes

SHA1: 818f53208b32089333d9897d8458c1806ea490a5
SHA256: 3ced63797fa32dd15e23cdf39f0d1b32be6f089b777f9dd906224cfe201928bc
MD5: 1c2d3b76a36f0f914e9402c0270b2c9c

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious PowerShell process

T1204.002 mimics_extension: Attempts to mimic the file extension

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1037 persistence_autorun: Makes itself run automatically on Windows startup

T1543.003 persistence_services: Modifies Services registry key

T1574.011 persistence_services: Modifies Services registry key

Privilege Escalation

T1037 persistence_autorun: Makes itself run automatically on Windows startup

T1574.011 persistence_services: Modifies Services registry key

T1543.003 persistence_services: Modifies Services registry key

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1055 injection_failed: The attempt to inject into a process has failed

Defense Evasion

T1036 mimics_extension: Attempts to mimic the file extension

T1564.001 stealth_file: Creates hidden or system files

T1574.011 persistence_services: Modifies Services registry key

T1562.001 amsi_patching_attempt: Attempts to patch Microsoft AMSI protection (amsi.dll)

T1202 lolbin_conhost: conhost.exe spawning unexpected processes via --headless argument

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

T1027 many_env_vars: An extensive number of environment variables has been created (possible sign of obfuscation)

T1070 stealth_window: A process created a hidden window

T1055 injection_failed: The attempt to inject into a process has failed

Discovery

T1518.001 wmi_check_av: Uses WMI to check for installed antivirus software

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

copies_self: Creates a copy of itself

creates_exe: Creates executable files in the file system

network_powershell: PowerShell process network connection detected

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

test_check_service: Starts services

writes_data: Writes big amount of data to disk

Managed XDR