Managed XDR

2ab12f79e435abe40ad300...9a90fa9f17e6eff1f.docm — malware analysis report

File info

Filename
2ab12f79e435abe40ad30076eb4722be724d766c8050dcd9a90fa9f17e6eff1f.docm
File type
Microsoft OOXML
File size
15.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
d8cd59c3698a58c289b3bc09c2735d79c69749d6
SHA256
941831cf3f263b3a4cb7b5a0c20f281c928de7c48f3c8c8dae25147f89ac90a2
MD5
4af93442378c3f946605573d8fd49227

Signatures

Initial Access

T1192 downloader_ms_word: Suspicious link to an external file (Microsoft Word)

Execution

T1203 exploit_CVE_2017_0199: Possible exploitation of CVE-2017-0199

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
Managed XDR