vtdl_1746764462_4nn7fmie | Group-IB MDP Reports

Managed XDR

Group-IB MDP Report

Filename: vtdl_1746764462_4nn7fmie

File Type: Rich Text Format data, version 1, ANSI

File Size: 440.4 KB

SHA1: 0b6bb79a00889f2f4588ac5d45f2e1c24dbcadbe SHA256: ec4acb47e8e851702f1266a1d245c9c8a657f38a98ab73b4d7ecad60757afc2b MD5: e590782f41ca4346f08005e2c41826e5

Signatures

Execution

T1203 exploit_CVE_2017_11882: Exploits CVE-2017-11882 vulnerability

T1203 office_write_exe: Office document dropped an executable file

T1059.003 suspicious_process: Spawns a suspicious process

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497.001 antivm_queries_computername: Retrieves the computer name

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1082 has_wmi: Executes one or several WMI requests

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1016 has_wmi: Executes one or several WMI requests

T1082 reads_csrss: Attempts to read csrss.exe memory

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules

office_embedded: Office document contains embedded executable file(s)

copies_self: Creates a copy of itself

creates_exe: Creates executable files in the file system

executes_dropped_exe: Executes dropped exe files

process_crashed: One of the processes has failed

unexpected_exception: Unexpected exception

has_pdb: This executable file has a PDB path

break_limit_exceeded: Warning: function calls limit has been exceeded

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card

checktokenmembership: Checks user token with CheckTokenMembership call

next report: 6a38ef26-495a-4502-a3f2-3224d75e21c3

previous report: 54407731-a640-422b-a7bc-bc9edd18e305

Managed XDR