Managed XDR

1757978309.m630296p215....rootservercloud.com-s — malware analysis report

File info

Filename
1757978309.m630296p2155128.paul.rootservercloud.com-s
File type
SMTP mail, ASCII text
File size
207.3 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
dd6dca66c508f8877c04c6c4a333c07a86b064bb
SHA256
8c146b2a55d13f44e90cb79f904f221c6a5c1eedd05bdf9bb22e1dffa1efb804
MD5
918e63deeefb56b62a8c97c0697d7379

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059 powershell_cmd_longcommandline: Suspiciously long commandline
T1059.001 suspicious_process: Spawns a suspicious process
T1059.003 suspicious_batch: Suspicious batch

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027 many_env_vars: An extensive number of environment variables has been created (possible sign of obfuscation)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed

Other

creates_exe: Creates executable files in the file system
pdf_page: Contains only one page
no_graphical_activity: No graphic activity
pdf_compressed_stream: Contains an object with compressed stream
checktokenmembership: Checks user token with CheckTokenMembership call