Managed XDR

documento-202412181020-re3110202241768.eml — malware analysis report

File info

Filename
documento-202412181020-re3110202241768.eml
File type
ASCII text, with very long lines, with CRLF line terminators
File size
17.8 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
99d5a5711cab604d2455bb24177f4906627363ad
SHA256
e1536df9b75339ba36989921086073cd247df15443d91bdca13c407683e8fe9c
MD5
6a7c7f84c5d3530ce3eb88e001a73288

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059 powershell_cmd_longcommandline: Suspiciously long commandline
T1059.001 suspicious_process: Spawns a suspicious process
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1057 has_wmi: Executes one or several WMI requests

Command and Control

T1102.003 cloud_bitbucket: Connects to cloud services of bitbucket.org (potentially for malicious payload delivery)
T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)

Other

checktokenmembership: Checks user token with CheckTokenMembership call
suricata_alert: Malicious traffic detected