Managed XDR

20250728_fp_100_158.eml — malware analysis report

File info

Filename: 20250728_fp_100_158.eml
File type: ASCII text
File size: 552.5 KB
First seen: 2025-07-29 07:01
Last seen: 2025-07-29 07:01

Environment

w10/x86 en

Hashes

SHA1: 9c0bf13463ee179ddc9056452f0095b4cfdf7a19
SHA256: 904d53577f2e785f79b3e9e5194e3f194fce3d55deac3dfb9955515cf35da2d8
MD5: 05dd8cc5b3e61b9886587128f7af8b02

Signatures

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1055.012 injection_runpe: Injects code into another process

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1055.012 injection_runpe: Injects code into another process

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1070 stealth_window: A process created a hidden window

Discovery

T1082 recon_systeminfo: Collects system information (ipconfig, netstat, systeminfo, net)

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1082 has_wmi: Executes one or several WMI requests

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1016 system_network_configuration_discovery: System network configuration discovery detected

Other

yara_rules: Static rules

pe_in_bcryptdecrypt: PE found in BCryptDecrypt function

ipconfig_release: Removes network adapter IP address configuration

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules

get_policy_info: Retrieves information about a Policy object

checktokenmembership: Checks user token with CheckTokenMembership call

dotnet_suspicious_entrypoint: Dotnet program has suspicious entrypoint

dotnet_downloader_possible_network_problem: Dotnet program possibly has network problem

dotnet_suspicious_module_name: Dotnet program has suspicious module name

Managed XDR