Managed XDR

b18962ca-0b43-45b9-a4ec-caa3e71c51fd-.eml — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: b18962ca-0b43-45b9-a4ec-caa3e71c51fd-.eml
Тип файла: RFC 822 mail, ASCII text, with CRLF line terminators
Размер файла: 2.1 KB
Первое обнаружение: 2024-07-31 06:23
Последнее обнаружение: 2024-07-31 06:23

Окружение

win7/x64 en

Хеши

SHA1: fafd914aeef535be21431887c4f6926003633941
SHA256: b3c8426d24bbbc434459160459824e70d6fc28cb850b8176ca2cf7bfd8ab765a
MD5: cb300a3931f2fef373675cec6d36446c

Сигнатуры

Execution

T1059.007 bad_js: Suspicious Javascript file

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036.001 invalid_authenticode: Digital signature of one or several attached files has failed to be verified

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.001 antivm_queries_computername: Retrieves the computer name

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1497.001 antivm_network_adapters: Checks NIC addresses

T1497.001 antivm_queries_computername: Retrieves the computer name

T1135 server_share_info: Retrieves information about each shared resource on a server

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

T1102.003 references_github: Contains links to cloud services of Github (potentially for malicious payload delivery)

Other

static_pe_anomaly: The PE file structure contains anomalies

process_crashed: One of the processes has failed

dotnet_suspicious_resources_names: Dotnet program has suspicious resources names

create_rpc_bindings: Creates RPC connection

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules

message_box: Displays a message

error_drawtext: An error occured while executing the file

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

pe_overlay: PE file contains overlay