Managed XDR

20250707_fp_100_347.eml — malware analysis report

File info

Filename: 20250707_fp_100_347.eml
File type: UTF-8 Unicode text
File size: 565.2 KB
First seen: 2025-07-09 18:46
Last seen: 2025-07-09 18:46

Environment

win7/x86 en

Hashes

SHA1: 4af8f7ca955b03bdfc6260b64b63bd4d72eae4a1
SHA256: 591e32c27119f5f5ff6055f63d102692155c130855bf9d6ecd0ba424f8fbf091
MD5: 6124da252c4ed7a70604395c570e4f85

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1064 office_macros_suspicious: Document contains suspicious macro

T1064 office_macros: The document contains macro

T1064 office_macros_strings: Feature lines found in document macro

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1221 office_attached_template: Office file attempts to download a suspicious template from the Internet

T1064 office_macros_suspicious: Document contains suspicious macro

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1064 office_macros: The document contains macro

T1064 office_macros_strings: Feature lines found in document macro

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

T1083 checks_recent_files: Attempt to check recently opened files through registry

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

dead_host: Connects to IP addresses that do not respond to requests

create_rpc_bindings: Creates RPC connection

break_limit_exceeded: Warning: function calls limit has been exceeded

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

office_links: Office file contains external links

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card