Managed XDR

purchase-order-po28052025_jiqko.eml — malware analysis report

File info

Filename
purchase-order-po28052025_jiqko.eml
File type
HTML document, ASCII text, with CRLF line terminators
File size
9 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
67b8bd1e2c320229386392b74e59ef924db255e0
SHA256
a6d325007ae928ef000c9bfb36d840c6eee8fa62fd5b329dc9ca68212e1be5ee
MD5
91f3fd26b3f18c079f35d5d9afd3bf79

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests

Other

suricata_alert: Malicious traffic detected
code_share_services: Connects to text storage services (potentially for malicious payload delivery)
creates_exe: Creates executable files in the file system
unexpected_exception: Unexpected exception
creates_in_programdata: Creates files in the ProgramData directory
checktokenmembership: Checks user token with CheckTokenMembership call