Managed XDR

13308.s.eml — malware analysis report

File info

Filename
13308.s.eml
File type
SMTP mail, ASCII text, with CRLF line terminators
File size
187.4 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
c097a97a6dc7a893b3774f67298d565f1c30e673
SHA256
677922710d2fb328ac307d756b395329d807bca7febf1c0b9e2b253791ffa0f7
MD5
3831823044e331368547e0e6f426cdf0

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_powershell: Suspicious document behaviour (creates powershell process)
T1059.001 suspicious_process: Spawns a suspicious process
T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro
T1070 stealth_window: A process created a hidden window

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1083 checks_recent_files: Attempt to check recently opened files through registry

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
office_summary: The document contains suspicious metadata
get_policy_info: Retrieves information about a Policy object
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
suricata_alert: Malicious traffic detected