Managed XDR
Group-IB MDP Report
File info
Filename: purchase-order-po24090026.eml
File Type: HTML document, ASCII text, with CRLF line terminators
File Size: 16.7 KB
Env info
win7/x86 en
Hashes
SHA1: 2321ba29681c297ce472b0de27ef597a29a70401
SHA256: db5ca8a8c018b754f3892e593eefe128a0c4a66bdc917039d14cced49d7091a5
MD5: 50fe3f9d65fbefa58426f4b9d2e37d40
Signatures
Initial Access
T1192 html_urls: HTML-document downloads a file
Execution
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.007 bad_js: Suspicious Javascript file
T1059.001 suspicious_process: Spawns a suspicious process
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1070 stealth_window: A process created a hidden window
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Discovery
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
Other
modifies_certs: Attempts to generate or modify system certificates
no_graphical_activity: No graphic activity
get_policy_info: Retrieves information about a Policy object
checktokenmembership: Checks user token with CheckTokenMembership call
next report: 6a9ffb69-adaa-48b3-a91b-bb6b926de539
previous report: d5e3dc50-de37-486f-a05a-83f2c13c95b5
Managed XDR