Managed XDR

temp-76-.eml — malware analysis report

File info

Filename
temp-76-.eml
File type
RFC 822 mail, ASCII text, with CRLF line terminators
File size
777.5 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
404394b66c80c8fb8ae540bfa3f68fd9edbfef23
SHA256
aa9342a3fbac6eb23162c4849291de6009ccb126ed484cd0af49c324b8d9285f
MD5
b4f2de89bf68e8f9950e84e3679be566

Signatures

Execution

T1059.005 bad_vbs: Suspicious VBScript file
T1059.003 suspicious_process: Spawns a suspicious process
T1059.005 obfuscated_vbs: Detected obfuscated VBS
T1059.003 executes_dropped_cmd: Executes dropped batch files
T1059.003 suspicious_batch: Suspicious batch

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027 obfuscated_vbs: Detected obfuscated VBS
T1497 debugs_self: Creates a process and debugs it
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497 debugs_self: Creates a process and debugs it
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Other

creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk