Managed XDR

_correo-sospechoso-ban...garantizados-_-lec.eml — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
_correo-sospechoso-banned_word_-re_-reunion-anh-acreedores-garantizados-_-lec.eml
Тип файла
SMTP mail, ASCII text, with very long lines, with CRLF line terminators
Размер файла
136.8 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
baf86f5e3d334f6e9711a72a40a38db16ae764db
SHA256
4cfbd4f5e5dc618757d1068a08ce8f5afdd8b65b3b68918346eb5a7e452b22a7
MD5
d6ddc9f8f52cbfc10f2a022814750afb

Сигнатуры

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests
T1204.002 office_com_load: Microsoft Office loads COM DLL files (indicator of COM usage in macros)

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1055 injection_failed: The attempt to inject into a process has failed
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1562.001 browser_security: Modifies browser security settings
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_msi: Checks installed MSI packages, possibly for anti-virtualization
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1055 injection_failed: The attempt to inject into a process has failed
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1057 has_wmi: Executes one or several WMI requests
T1082 has_wmi: Executes one or several WMI requests
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_msi: Checks installed MSI packages, possibly for anti-virtualization
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

creates_in_windows: Creates files in the Windows directory
network_bind: Starts servers listening at None
creates_exe: Creates executable files in the file system
creates_suspended_process: Creates suspended process
creates_in_programdata: Creates files in the ProgramData directory
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
Managed XDR