Managed XDR

nuevo-orden.msg (STRRAT) — malware analysis report

File info

Filename
nuevo-orden.msg
File type
CDFV2 Microsoft Outlook Message
File size
293 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
644331cdc797155157249600709666b2594c4ffc
SHA256
eb2997ec0dca9800162c21331d62cd578423c01cad4078d216716a07f9500bdc
MD5
f1303e2d7c4e350e0659ebf6b067f602

Malwares

  • STRRAT

Signatures

Execution

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Credential Access

T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network
T1071.001 network_http: Performs HTTP requests
T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)

Other

suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
ip_domains: Identifies an IP address using external resources
creates_in_programdata: Creates files in the ProgramData directory

Related reports