Managed XDR
Group-IB MDP Report
File info
Filename: foll.docx
File Type: Zip archive data, at least v2.0 to extract
File Size: 10.4 KB
Env info
w10/x86 en
Hashes
SHA1: 04d30019c278a7e85d2e2e0701361b4f1801aeaf
SHA256: be2ed20a8216b358990ce5ae5e5c981b24964f2427d742f7bbd0cacab93b3d4f
MD5: d22949ee307126241a24167130ea62f9
Malwares
Follina
Signatures
Initial Access
T1192 downloader_ms_word: Suspicious link to an external file (Microsoft Word)
Execution
T1203 exploit_CVE_2022_30190: Exploitation of Follina (CVE-2022-30190) Vulnerability
T1204.002 office_com_load: Microsoft Office loads COM DLL files (indicator of COM usage in macros)
Defense Evasion
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
Credential Access
T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)
Discovery
T1083 checks_recent_files: Attempt to check recently opened files through registry
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
Collection
T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)
Command and Control
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
Other
yara_rules: Static rules
creates_suspended_process: Creates suspended process
test_check_service: Starts services
next report: 35ebbe22-29f4-40b3-a286-6e6c9ae691cc
previous report: b1e76480-2aee-4058-ac12-019212d4a6ef
Managed XDR