Managed XDR

c-users-user-0ffice36x...9f8798961bb55e7d84.zip — malware analysis report

File info

Filename
c-users-user-0ffice36x-13-27bbffa557fc469f8798961bb55e7d84.zip
File type
Microsoft OOXML
File size
1.7 MB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
41736634dba0e5bbc67b2a63e3e0f0d08e1b6cc8
SHA256
94fbe0f10f634b902b25360497b761007ff21cb4733fb629056d281b51bfdfe3
MD5
c71bfc4b9919776502bc53fbc94a0411

Signatures

Execution

T1064 office_macros_suspicious: Document contains suspicious macro
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro
T1204.002 office_com_load: Microsoft Office loads COM DLL files (indicator of COM usage in macros)

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1064 office_macros_suspicious: Document contains suspicious macro
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
has_pdb: This executable file has a PDB path
break_limit_exceeded: Warning: function calls limit has been exceeded
static_compression_ratio: Very high compression ratio of a file
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services