Managed XDR

re-enquiry.msg — malware analysis report

File info

Filename: re-enquiry.msg
File type: CDFV2 Microsoft Outlook Message
File size: 169.5 KB
First seen: 2025-11-03 09:31
Last seen: 2025-11-03 09:31

Environment

w10/x86 en

Hashes

SHA1: 908817cab1c66677923d58e97eb4ba5dbd132cf2
SHA256: e216c5e3de22f993e1bc8b80e60dede53403ac0edea953b32b7cc64591b9f83b
MD5: 0161eef250799b4ad7993666b8f14484

Signatures

Execution

T1203 office_exploit_creates_cmd: The document exhibits suspicious behaviour (creates a cmd.exe process)

T1059 cmd_vbs: Uses cmd.exe to generate VBS

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1203 chm_run_process: Windows HtmlHelp file runs an application

T1059.001 suspicious_process: Spawns a suspicious process

T1059.001 url_cmdline: Cmdline of process contains URL

T1059.003 suspicious_cmd: Executes cmd.exe with a suspicious command line

T1059.003 url_cmdline: Cmdline of process contains URL

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070 cmd_vbs: Uses cmd.exe to generate VBS

T1036 copies_utilities: Copies and runs system utility with different name

T1218.001 chm_run_process: Windows HtmlHelp file runs an application

T1027 suspicious_cmd: Executes cmd.exe with a suspicious command line

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Collection

T1560.001 archive_via_utility: Detected archiving data via utility

Command and Control

T1105 lolbin_extrac32: Download or Copy file with Extrac32

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

creates_exe: Creates executable files in the file system

executes_dropped_exe: Executes dropped exe files

dead_host: Connects to IP addresses that do not respond to requests

creates_suspended_process: Creates suspended process

test_check_service: Starts services

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

Managed XDR