Managed XDR

banned-20260618t075805-01556-11 — malware analysis report

File info

Filename: banned-20260618t075805-01556-11
File type: SMTP mail, ASCII text
File size: 170.6 KB
First seen: 2026-06-20 23:21
Last seen: 2026-06-20 23:22

Environment

w11/x64 en

Hashes

SHA1: a9001f54857a3e03b19720bc347cf53949ef238c
SHA256: b13907c1f1a6431586f06da2228b51ce059a387409b26108de0f5d0b3ee12194
MD5: fb5490a4443f76006e4f934718852559

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious PowerShell process

T1204.002 mimics_extension: Attempts to mimic the file extension

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1037 persistence_autorun: Makes itself run automatically on Windows startup

T1574.011 persistence_services: Modifies Services registry key

T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1037 persistence_autorun: Makes itself run automatically on Windows startup

T1574.011 persistence_services: Modifies Services registry key

T1543.003 persistence_services: Modifies Services registry key

T1055 injection_failed: The attempt to inject into a process has failed

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1564.001 stealth_file: Creates hidden or system files

T1036 mimics_extension: Attempts to mimic the file extension

T1574.011 persistence_services: Modifies Services registry key

T1055 injection_failed: The attempt to inject into a process has failed

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1027 many_env_vars: An extensive number of environment variables has been created (possible sign of obfuscation)

T1202 lolbin_conhost: conhost.exe spawning unexpected processes via --headless argument

T1562.001 amsi_patching_attempt: Attempts to patch Microsoft AMSI protection (amsi.dll)

T1070 stealth_window: A process created a hidden window

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Discovery

T1518.001 wmi_check_av: Uses WMI to check for installed antivirus software

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

copies_self: Creates a copy of itself

creates_exe: Creates executable files in the file system

network_powershell: PowerShell process network connection detected

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

test_check_service: Starts services

writes_data: Writes big amount of data to disk

Managed XDR