Managed XDR

banned-20260604t152635-26180-05 — malware analysis report

File info

Filename
banned-20260604t152635-26180-05
File type
SMTP mail, ASCII text
File size
44.8 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
1c76c13ee95e15635c3752e0d050e59458e4efa7
SHA256
626cdf0b217caec3e1ededacb8bd8f290c7d5b3c1e0971f66c57d9d45b6a0e64
MD5
584eec8ed2782ce92deef941b3f315eb

Signatures

Execution

T1059 network_wscript_downloader: Wscript.exe initiated network communication
T1059.005 bad_vbs: Suspicious VBScript file
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1082 has_wmi: Executes one or several WMI requests
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Command and Control

T1071 network_wscript_downloader: Wscript.exe initiated network communication
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
message_box: Displays a message