Managed XDR

jnpeipgollcj9jg4e6h94pjk7vf6ggg99nn7ogg1 — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
jnpeipgollcj9jg4e6h94pjk7vf6ggg99nn7ogg1
Тип файла
SMTP mail, ASCII text, with very long lines, with CRLF line terminators
Размер файла
788.7 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x64 en

Хеши

SHA1
c7ab76abffb1d77061fad762841be33ec4f6d794
SHA256
7c285166c56073c690853fbc75c35f9ca7c6cbf2d46b315371d4fb8260e9101c
MD5
be429aac84399236a776370c1fc92e9c

Сигнатуры

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
create_rpc_bindings: Creates RPC connection
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
get_policy_info: Retrieves information about a Policy object