Managed XDR

pe2qesm3ac88qa58kqtfsusult7fhkltpdlvjho1 — malware analysis report

File info

Filename
pe2qesm3ac88qa58kqtfsusult7fhkltpdlvjho1
File type
SMTP mail, ASCII text, with very long lines, with CRLF line terminators
File size
788.7 KB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
59ddbd6725488044cad9298c33239038ab4b5896
SHA256
847fb27e3769d17cc0afbfa335926d5dd0a905ef528fbb1d41b8e5b48de06bc7
MD5
4817db2623f425d36e5e0a256ae15cec

Signatures

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
create_rpc_bindings: Creates RPC connection
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
get_policy_info: Retrieves information about a Policy object