Managed XDR

1757972503.m917902p181....rootservercloud.com-s — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
1757972503.m917902p1816849.paul.rootservercloud.com-s
Тип файла
SMTP mail, ASCII text
Размер файла
206.7 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
9c2071b32af7b51d3bf3a1d70548567c76e384dc
SHA256
cc8f9f9fb1e6dfca5dc1a1361e0eb7c6e24750587b0b16187704c7322ad80dff
MD5
d9aedd61feb5a4c8d5e42f58e635769c

Сигнатуры

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059 powershell_cmd_longcommandline: Suspiciously long commandline
T1059.001 suspicious_process: Spawns a suspicious process
T1059.003 suspicious_batch: Suspicious batch

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027 many_env_vars: An extensive number of environment variables has been created (possible sign of obfuscation)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed

Other

creates_exe: Creates executable files in the file system
pdf_page: Contains only one page
no_graphical_activity: No graphic activity
pdf_compressed_stream: Contains an object with compressed stream
checktokenmembership: Checks user token with CheckTokenMembership call