Managed XDR

48e51b99-40a0-3006-b23d-c67d5bb42f4a.eml — malware analysis report

File info

Filename
48e51b99-40a0-3006-b23d-c67d5bb42f4a.eml
File type
RFC 822 mail, UTF-8 Unicode text, with CRLF line terminators
File size
3.5 MB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
e2bea2b98ad788bdb6619b3afd5625e98d69b4b8
SHA256
e93df76e9b5fa6106e4788b9f5c3e2eea5caee133c88d399857940d0f3797c6e
MD5
a5d475fcd3a354eddce70f6ae7a36965

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1204.002 mimics_extension: Attempts to mimic the file extension

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1036 mimics_extension: Attempts to mimic the file extension
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Discovery

T1057 process_interest: Enumerates processes

Other

yara_rules: Static rules
no_graphical_activity: No graphic activity
valid_authenticode: The digital signature has been verified
net_dumps_in_native: .Net dumps have been found in native PE
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
pe_overlay: PE file contains overlay