Managed XDR

20250708_fp_100_45.eml — malware analysis report

File info

Filename: 20250708_fp_100_45.eml
File type: UTF-8 Unicode text
File size: 285.4 KB
First seen: 2025-07-09 12:48
Last seen: 2025-07-09 12:48

Environment

win7/x86 en

Hashes

SHA1: 887473363222975cd3849482f5abdc6c5f3a186e
SHA256: 5608438ccf3bc2ee6bb9ae2fa20ff12e4d52df385c57c18be7563d47574d9b18
MD5: 7eddaff8dde5e5329640afed6907cc2e

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1064 office_macros_suspicious: Document contains suspicious macro

T1064 office_macros: The document contains macro

T1064 office_macros_strings: Feature lines found in document macro

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1221 office_attached_template: Office file attempts to download a suspicious template from the Internet

T1064 office_macros_suspicious: Document contains suspicious macro

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.001 antivm_queries_computername: Retrieves the computer name

T1064 office_macros: The document contains macro

T1064 office_macros_strings: Feature lines found in document macro

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.001 antivm_queries_computername: Retrieves the computer name

T1083 checks_recent_files: Attempt to check recently opened files through registry

T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

Command and Control

T1071.001 network_http: Performs HTTP requests

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

create_rpc_bindings: Creates RPC connection

break_limit_exceeded: Warning: function calls limit has been exceeded

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

office_links: Office file contains external links

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card

suricata_alert: Malicious traffic detected