Managed XDR

0dce30dc-5829-4be4-a999-8e0f36dadf97-.eml — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: 0dce30dc-5829-4be4-a999-8e0f36dadf97-.eml
Тип файла: RFC 822 mail, ASCII text, with CRLF line terminators
Размер файла: 2.1 KB
Первое обнаружение: 2024-07-31 05:44
Последнее обнаружение: 2024-07-31 05:44

Окружение

win7/x64 en

Хеши

SHA1: 0dbeea00c19f73a5014c7fe00a11c27d72ce6c14
SHA256: dd40257f56888a4677a7720b6e3c38581f634a7e042f3e3e46d92b0c5e9f47a3
MD5: 0ec17ddcefebe92ececb371055be18f7

Сигнатуры

Execution

T1059.007 bad_js: Suspicious Javascript file

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036.001 invalid_authenticode: Digital signature of one or several attached files has failed to be verified

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.001 antivm_queries_computername: Retrieves the computer name

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.001 antivm_queries_computername: Retrieves the computer name

T1135 server_share_info: Retrieves information about each shared resource on a server

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

T1102.003 references_github: Contains links to cloud services of Github (potentially for malicious payload delivery)

Other

static_pe_anomaly: The PE file structure contains anomalies

process_crashed: One of the processes has failed

dotnet_suspicious_resources_names: Dotnet program has suspicious resources names

create_rpc_bindings: Creates RPC connection

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules

message_box: Displays a message

error_drawtext: An error occured while executing the file

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

pe_overlay: PE file contains overlay