Managed XDR

new-order10004-.msg — malware analysis report

File info

Filename
new-order10004-.msg
File type
CDFV2 Microsoft Outlook Message
File size
105.5 KB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
bbc439872ac047962c30c3faf02ec71aa6ef92d8
SHA256
145b35b72edfc9b6bd6f521fef845a9e450ddef94d5a50d29f2321135d755b85
MD5
6deb8ee17da7fd2befef32262c1d808c

Signatures

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Command and Control

T1102.003 references_onedrive: Contains links to cloud services of Onedrive (potentially for malicious payload delivery)

Other

yara_rules: Static rules
static_pe_anomaly: The PE file structure contains anomalies
suspicious_pdf: PDF file with suspicious content
pdf_page: Contains only one page
suspicious_pdf_link: PDF file with suspicious hyperlink or content
pdf_compressed_stream: Contains an object with compressed stream
has_pdb: This executable file has a PDB path
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
get_policy_info: Retrieves information about a Policy object
office_links: Office file contains external links
dotnet_use_suspicious_functions: Dotnet program potentially uses suspicious functions/modules
pe_overlay: PE file contains overlay