Managed XDR

2a521c4c-6d8a-43fa-ff6...-6988-603dad77301a.eml (CloudEyE) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: 2a521c4c-6d8a-43fa-ff6d-08de1aad92a1-691733a0-f237-5864-6988-603dad77301a.eml
Тип файла: RFC 822 mail, UTF-8 Unicode text, with CRLF line terminators
Размер файла: 27.2 KB
Первое обнаружение: 2025-11-03 09:20
Последнее обнаружение: 2025-11-03 09:20

Окружение

w10/x86 en

Хеши

SHA1: f49687769557c67ce229ee56604985a1807d6f41
SHA256: 1f5c449ad48bcba4d24c5e80fb6d65821e5d582253eded14d5cd36005edbc4a8
MD5: 9abfc2ae79b86ee410efd67fda01e992

Вредоносное ПО

CloudEyE

Сигнатуры

Execution

T1059 powershell_cmd_longcommandline: Suspiciously long commandline

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1047 has_wmi: Executes one or several WMI requests

T1059.001 suspicious_process: Spawns a suspicious process

T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Privilege Escalation

T1055.012 injection_runpe: Injects code into another process

T1055.004 injection_ntqueueapcthread: Injects into another process using NtQueueApcThread

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.012 injection_runpe: Injects code into another process

T1027.002 guloader_behaviour: Cloudeye/GuLoader specific behaviour has been detected

T1055.004 injection_ntqueueapcthread: Injects into another process using NtQueueApcThread

T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1070 stealth_window: A process created a hidden window

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Discovery

T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread

T1057 has_wmi: Executes one or several WMI requests

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Collection

T1560.001 archive_via_utility: Detected archiving data via utility

Command and Control

T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl

Other

yara_rules: Static rules

runs_utility_without_cmdline: Runs system utility without arguments (non-typical usage)

suspicious_process_network: Unusual process network activity detected

unexpected_exception: Unexpected exception

network_powershell: Powershell process network connection detected

no_graphical_activity: No graphic activity

creates_suspended_process: Creates suspended process

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

suricata_alert: Malicious traffic detected