Managed XDR

po-2504122-ots-pixel.msg — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: po-2504122-ots-pixel.msg
Тип файла: CDFV2 Microsoft Outlook Message
Размер файла: 1.7 MB
Первое обнаружение: 2025-10-07 08:42
Последнее обнаружение: 2025-10-07 08:42

Окружение

win7/x86 en

Хеши

SHA1: 63a7dc08fec434aa996f39b8764ab0a8838c8baf
SHA256: e9667d652c9ed25d85730131beb12e34de759e817cc3e4d638581337abbf0227
MD5: f256e2e9de73e6e0c1f97d8838f68305

Сигнатуры

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059.001 suspicious_process: Spawns a suspicious process

T1064 office_macros: The document contains macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1064 office_macros: The document contains macro

T1070 stealth_window: A process created a hidden window

Credential Access

T1552 cookie_files: Accesses cookie files

T1555.003 cookie_files: Accesses cookie files

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1083 checks_recent_files: Attempt to check recently opened files through registry

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules

suricata_alert: Malicious traffic detected

modifies_certs: Attempts to generate or modify system certificates

suspicious_process_network: Unusual process network activity detected

network_ftp: Performs FTP requests

office_summary: The document contains suspicious metadata

create_rpc_bindings: Creates RPC connection

break_limit_exceeded: Warning: function calls limit has been exceeded

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

office_links: Office file contains external links

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card