Managed XDR

4a2e2fd8200ec0b688e409...d9e9d949ba05f4ae70.eml — malware analysis report

File info

Filename: 4a2e2fd8200ec0b688e4098f36eb46e8ce64e1519f0beed9e9d949ba05f4ae70.eml
File type: ASCII text, with very long lines, with CRLF line terminators
File size: 2.3 MB
First seen: 2025-10-14 07:19
Last seen: 2025-10-14 07:19

Environment

win7/x86 en

Hashes

SHA1: c2ee8a79ce689c94e85c91ff7467843660f8e8a9
SHA256: 81ea4bd65495bb0c2cb95e5dbb13fa6cf0ae176ea42f4275ea3579be6872641e
MD5: c15414644af4b3c954db729ef0b70fb6

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059.001 suspicious_process: Spawns a suspicious process

T1064 office_macros: The document contains macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1064 office_macros: The document contains macro

T1070 stealth_window: A process created a hidden window

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules

suricata_alert: Malicious traffic detected

modifies_certs: Attempts to generate or modify system certificates

suspicious_process_network: Unusual process network activity detected

office_summary: The document contains suspicious metadata

create_rpc_bindings: Creates RPC connection

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

office_links: Office file contains external links

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card

Managed XDR