Managed XDR

your-invoice-european-...-is-available..eml.msg — malware analysis report

File info

Filename
your-invoice-european-construction-chemicals-2026018-is-available..eml.msg
File type
Composite Document File V2 Document, No summary info
File size
113.5 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
399e45b0e9a76b73f8077122d63a39933135b496
SHA256
4347342a2aa787dd79e53abbc7eea6eb3136e5543c1a832875d03e0b793ec1ee
MD5
0d5215d4a513f94826a4007a736a95dd

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1068 integrity_level: Process privileges have been escalated
T1055.012 injection_runpe: Injects code into another process
T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.012 injection_runpe: Injects code into another process
T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.001 antivm_network_adapters: Checks NIC addresses
T1480 system_default_lang_id_present: Checks the system language
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_queries_computername: Retrieves the computer name

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1057 process_interest: Enumerates processes
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_network_adapters: Checks NIC addresses
T1135 server_share_info: Retrieves information about each shared resource on a server
T1016 get_hostname: Attempts to get hostname
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Impact

T1486 modifies_files: Cryptolocker indicators detected (renamed 50 or more files)

Other

event_hook: Hooks Windows events associated with UI
network_bind: Starts servers listening at None
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
process_crashed: One of the processes has failed
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay
valid_authenticode: The digital signature has been verified