Managed XDR

utf-8-b-umu6incq0j4g0j...rqscdqkncs0j_qni4-.eml — malware analysis report

File info

Filename: utf-8-b-umu6incq0j4g0jpqu9c-0l3qsngb0ye6inc_0l7qtnc-0lfrgnc40ylqtdc70yzqvdcw0y8g0yhrgncw-utf-8-b-0lhqvtgc0lrqscdqkncs0j_qni4-.eml
File type: data
File size: 25.8 MB
First seen: 2026-05-18 13:18
Last seen: 2026-05-18 13:18

Environment

w10/x64 en

Hashes

SHA1: 4754c97213d43066808e3e4da4d4bb7e0f66fc67
SHA256: 928505b91644bf3c5fbb4f6f52ba5fa9a484ee2dd0b2fcfb7afa114ea3057cd8
MD5: 7aa1bffdfb0845b3c261ae50ee4cb66f

Signatures

Execution

T1059.003 suspicious_process: Spawns a suspicious process

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1564.001 stealth_file: Creates hidden or system files

T1497 debugs_self: Creates a process and debugs it

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1082 has_wmi: Executes one or several WMI requests

T1497 debugs_self: Creates a process and debugs it

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1057 has_wmi: Executes one or several WMI requests

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

creates_exe: Creates executable files in the file system

network_bind: Starts servers listening at None

create_process_failed: Could not start the process

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

msi_has_custom_action: MSI file contains custom action

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

archive_password_infected: Archive is protected by 'infected' password

Managed XDR