Managed XDR

3b69470d4aea271a7ec758...23c3a5c164f776ae82.eml (XWorm) — malware analysis report

File info

Filename
3b69470d4aea271a7ec758bf80defb3c6b309090a1d2f523c3a5c164f776ae82.eml
File type
HTML document, ASCII text, with very long lines, with CRLF line terminators
File size
89.5 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
30fadc8c5a57ef2a891c193c2d9a3006c57f2e38
SHA256
24918f4c44091a500025696799a9d4cf800b45fbb56f7aeeee87992d83d1f1de
MD5
8892ad62420e22a1e7db06c5c15e233c

Malwares

  • XWorm

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059 powershell_cmd_longcommandline: Suspiciously long commandline
T1059.001 suspicious_process: Spawns a suspicious process
T1059.003 suspicious_process: Spawns a suspicious process
T1047 has_wmi: Executes one or several WMI requests
T1059.003 executes_dropped_cmd: Executes dropped batch files
T1059.003 suspicious_batch: Suspicious batch

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497 debugs_self: Creates a process and debugs it
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497 debugs_self: Creates a process and debugs it
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1518.001 wmi_check_av: Uses WMI to check for installed antivirus software
T1082 has_wmi: Executes one or several WMI requests
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
ps_ep_changed: Changes Powershell execution policy
network_powershell: Powershell process network connection detected
telegram_api: Telegram Messenger API is used
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk

Related reports