Managed XDR

ayuda-new-1739542875.m...er.net-s-76671-w-77898 — malware analysis report

File info

Filename
ayuda-new-1739542875.m922415p23389.m14200.contaboserver.net-s-76671-w-77898
File type
SMTP mail, UTF-8 Unicode text, with very long lines
File size
74.9 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
1ec1d1cba7c8c7e77bf8e5b72c8ab148c2a4e013
SHA256
8015de1730a8ad5c37bf7418f2b0fe5077c9d53b7daa657d12b07ecf91f57d3e
MD5
900980c825ff05004654a218fb8731d5

Signatures

Execution

T1059.001 suspicious_process: Spawns a suspicious process
T1059.003 suspicious_process: Spawns a suspicious process
T1059.003 executes_dropped_cmd: Executes dropped batch files
T1059.005 obfuscated_vbs: Detected obfuscated VBS
T1059 wscript_info_discovery: Collects info about system with Wscript.Shell
T1059.003 suspicious_batch: Suspicious batch
T1059.005 bad_vbs: Suspicious VBScript file

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027 obfuscated_vbs: Detected obfuscated VBS
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1033 wscript_info_discovery: Collects info about system with Wscript.Shell

Other

yara_rules: Static rules
runs_utility_without_cmdline: Runs system utility without arguments (non-typical usage)
creates_exe: Creates executable files in the file system
no_graphical_activity: No graphic activity
get_policy_info: Retrieves information about a Policy object
checktokenmembership: Checks user token with CheckTokenMembership call