Managed XDR

6d691633-3b74-8c8f-e51b-c1088fc06429.eml (CloudEyE) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
6d691633-3b74-8c8f-e51b-c1088fc06429.eml
Тип файла
RFC 822 mail, ASCII text, with CRLF line terminators
Размер файла
608.9 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
f77f2aeb5e21a0900d3e118f581d0434494ae20e
SHA256
7ec353ebf46e67da658bb401e3cd6c2e5f3ec1f7c4290f0d900cea58f84e66e3
MD5
fba2c4dc659da593485900ee29402184

Вредоносное ПО

  • CloudEyE

Сигнатуры

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_process: Spawns a suspicious process
T1059.007 bad_js: Suspicious Javascript file
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1047 has_wmi: Executes one or several WMI requests
T1559.001 com_exec: Execution of Win32_Process.Create COM Method
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Privilege Escalation

T1055.012 injection_runpe: Injects code into another process
T1055.004 injection_ntqueueapcthread: Injects into another process using NtQueueApcThread
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.012 injection_runpe: Injects code into another process
T1027.002 guloader_behaviour: Cloudeye/GuLoader specific behaviour has been detected
T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1055.004 injection_ntqueueapcthread: Injects into another process using NtQueueApcThread
T1497 debugs_self: Creates a process and debugs it
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1497 debugs_self: Creates a process and debugs it
T1057 has_wmi: Executes one or several WMI requests
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1082 reads_csrss: Attempts to read csrss.exe memory

Command and Control

T1102.003 cloud_google: Connects to cloud services of Google (potentially for malicious payload delivery)
T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl

Other

yara_rules: Static rules
modifies_certs: Attempts to generate or modify system certificates
runs_utility_without_cmdline: Runs system utility without arguments (non-typical usage)
suspicious_process_network: Unusual process network activity detected
unexpected_exception: Unexpected exception
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call

Похожие отчёты