Managed XDR

po.eml — malware analysis report

File info

Filename
po.eml
File type
UTF-8 Unicode text, with very long lines, with CRLF line terminators
File size
969.3 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
21a9da8c3b0c5bcf4ca64d2ac4ab8c4d999666d8
SHA256
ae25539861f938a1e264ed4fa98c43aca0a6d9e798476be4c0338ef43bf3a6bc
MD5
5c95384491eec2d692d90be5e901e365

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1027.002 nsis_archive: One of the packages is NSIS archive
T1480 system_default_lang_id_present: Checks the system language
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
pe_overlay: PE file contains overlay
executes_dropped_exe: Executes dropped exe files