Managed XDR

quotation-update-for-e...-2024-04-04-12-19-.eml (STRRAT) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
quotation-update-for-enquiry_urgent_order-april-june-2024-2024-04-04-12-19-.eml
Тип файла
RFC 822 mail, UTF-8 Unicode text, with CRLF line terminators
Размер файла
635.5 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
1d70415c1f4efb4dd5f62e4812ba01175ccb881c
SHA256
58fa9d1847ed5f2302640d78de35977efa198542a78753f39bd9dd779811f0ab
MD5
825ad0b25102750435db591fc53d021d

Вредоносное ПО

  • STRRAT

Сигнатуры

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network
T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)
T1071.001 network_http: Performs HTTP requests

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
ip_domains: Identifies an IP address using external resources
pdf_compressed_stream: Contains an object with compressed stream
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory

Похожие отчёты