Managed XDR

banned-20250313t054026-01663-02 — malware analysis report

File info

Filename: banned-20250313t054026-01663-02
File type: SMTP mail, ASCII text
File size: 345.7 KB
First seen: 2025-03-14 19:47
Last seen: 2025-03-14 19:47

Environment

w10/x86 en

Hashes

SHA1: 464f221f7e0370caf53e522dc6847c2f1eb05810
SHA256: 29754606c6702bebff69347fadfdfb4dad6d4e355dcc108817407e68d6e115e9
MD5: 542f797dbc610ba4ed931e0efbdba0b8

Signatures

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

T1134.004 ppid_spoofing: Parent pid spoofing detected

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1055.012 injection_runpe: Injects code into another process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1134.004 ppid_spoofing: Parent pid spoofing detected

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1055.012 injection_runpe: Injects code into another process

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1497.001 antivm_network_adapters: Checks NIC addresses

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1070 stealth_window: A process created a hidden window

T1497.001 antivm_queries_computername: Retrieves the computer name

Discovery

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

networkdyndns_checkip: Connects to a Dynamic DNS domain

creates_exe: Creates executable files in the file system

pe_in_bcryptdecrypt: PE found in BCryptDecrypt function

copies_self: Creates a copy of itself

no_graphical_activity: No graphic activity

creates_suspended_process: Creates suspended process

get_policy_info: Retrieves information about a Policy object

checktokenmembership: Checks user token with CheckTokenMembership call