Managed XDR

yu-yue-shou-ce-gang-li...ng-shan-cang-ku-i.docx — malware analysis report

File info

Filename: yu-yue-shou-ce-gang-lian-jie-yang-shan-cang-ku-i.docx
File type: Microsoft Word 2007+
File size: 174.5 KB
First seen: 2025-06-23 07:16
Last seen: 2025-06-23 11:46

Environment

win7/x86 en

Hashes

SHA1: cae3a8d5a7c18f204d4a06093db41347d9a7e46b
SHA256: 054d8079114764f5803ba80e969c63a7dce17ceed1e0971762e434ab04173333
MD5: ad094cb7af4cafa064905f66fa7ad8b3

Signatures

Execution

T1064 office_macros_suspicious: Document contains suspicious macro

T1064 office_macros: The document contains macro

T1064 office_macros_strings: Feature lines found in document macro

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1221 office_attached_template: Office file downloads a suspicious template from the Internet

T1064 office_macros_suspicious: Document contains suspicious macro

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.001 antivm_queries_computername: Retrieves the computer name

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1064 office_macros: The document contains macro

T1064 office_macros_strings: Feature lines found in document macro

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1497.001 antivm_queries_computername: Retrieves the computer name

T1135 server_share_info: Retrieves information about each shared resource on a server

T1083 checks_recent_files: Attempt to check recently opened files through registry

Command and Control

T1071.001 network_http: Performs HTTP requests

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules

creates_doc: Creates (office) documents in the file system

create_rpc_bindings: Creates RPC connection

break_limit_exceeded: Warning: function calls limit has been exceeded

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card

suricata_alert: Malicious traffic detected