Managed XDR

pe2qesm3ac88qa58kqtfsusult7fhkltpdlvjho1 — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
pe2qesm3ac88qa58kqtfsusult7fhkltpdlvjho1
Тип файла
SMTP mail, ASCII text, with very long lines, with CRLF line terminators
Размер файла
788.7 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x64 en

Хеши

SHA1
59ddbd6725488044cad9298c33239038ab4b5896
SHA256
847fb27e3769d17cc0afbfa335926d5dd0a905ef528fbb1d41b8e5b48de06bc7
MD5
4817db2623f425d36e5e0a256ae15cec

Сигнатуры

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
create_rpc_bindings: Creates RPC connection
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
get_policy_info: Retrieves information about a Policy object