Managed XDR

e290e952-3c1e-4287-ed0...-6938-e6912f14cf85.eml — malware analysis report

File info

Filename
e290e952-3c1e-4287-ed0e-08dd87bdddc3-866545c3-e288-5304-6938-e6912f14cf85.eml
File type
RFC 822 mail, ASCII text, with very long lines, with CRLF line terminators
File size
26.9 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
e109563c0e1e9aeb922a360e30e6620112f6220d
SHA256
bf1073738ab76e2f154191e6e222b517fbaadb3b736a3d9c7c579f688d887d7e
MD5
8e7b1bb60b7c7fa34df20fa741f134a0

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1204.002 mimics_extension: Attempts to mimic the file extension
T1059.001 suspicious_process: Spawns a suspicious process
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036 mimics_extension: Attempts to mimic the file extension
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
checktokenmembership: Checks user token with CheckTokenMembership call
suricata_alert: Malicious traffic detected