Managed XDR

solicitud-precio.msg (FormBookFormgrabber) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: solicitud-precio.msg
Тип файла: CDFV2 Microsoft Outlook Message
Размер файла: 44 KB
Первое обнаружение: 2025-11-05 11:49
Последнее обнаружение: 2025-11-05 11:49

Окружение

w10/x86 en

Хеши

SHA1: 2347075d64a77e1a7031c708515ca8c2e5181248
SHA256: 3e27c1ee6df79a0a56f361af559fe8dc9f63b3b1c1b5463ca97b5a3802946edf
MD5: a2ce62a21286995476025a94f6a5679b

Вредоносное ПО

FormBookFormgrabber

Сигнатуры

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059.001 suspicious_process: Spawns a suspicious process

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1497 debugs_self: Creates a process and debugs it

T1497 antidbg_query_system: Checks for kernel debugger (SystemKernelDebuggerInformation)

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Discovery

T1497 debugs_self: Creates a process and debugs it

T1497 antidbg_query_system: Checks for kernel debugger (SystemKernelDebuggerInformation)

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic

T1071.001 network_http: Performs HTTP requests

T1102.003 references_amazonaws: Contains links to cloud services of Amazon AWS services (potentially for malicious payload delivery)

Other

yara_rules: Static rules

network_powershell: Powershell process network connection detected

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk