Managed XDR

banned-20260604t082843-01621-12 — malware analysis report

File info

Filename
banned-20260604t082843-01621-12
File type
SMTP mail, ASCII text
File size
26.8 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
bdf4685bcaff26a205923fba9774f2e556d210d8
SHA256
832c1a0e20bcde6e9b01e67f67362055f6e9c26e465e39a3f7b105d36927da7c
MD5
d07ec0eaf8fe3ca078f8a2e9d8a2bbe8

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059 network_wscript_downloader: Wscript.exe initiated network communication
T1059.005 bad_vbs: Suspicious VBScript file
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1082 has_wmi: Executes one or several WMI requests
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1057 has_wmi: Executes one or several WMI requests
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Command and Control

T1071 network_wscript_downloader: Wscript.exe initiated network communication
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

network_bind: Starts servers listening at None
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
message_box: Displays a message
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services