Managed XDR

9d22969d14c7c23e743ab6...c8e48e38634b257cfc.rtf — malware analysis report

File info

Filename
9d22969d14c7c23e743ab63564c9b86eea20b2785c9d76c8e48e38634b257cfc.rtf
File type
Rich Text Format data, version 1, unknown character set
File size
89.4 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
dd567295d87f5f01b8951ff91aa92cbc2fb0da0b
SHA256
9d22969d14c7c23e743ab63564c9b86eea20b2785c9d76c8e48e38634b257cfc
MD5
0930bc0ba7c5af0fd2ee2a78a98faa22

Signatures

Execution

T1059 network_wscript_downloader: Wscript.exe initiated network communication
T1203 exploit_CVE_2017_11882: Exploits CVE-2017-11882 vulnerability
T1203 office_exploit_http: The document exhibits suspicious behaviour (performs HTTP requests)
T1059 suspicious_process: Spawns a suspicious process
T1059.005 obfuscated_vbs: Detected obfuscated VBS
T1059 wscript_info_discovery: Collects info about system with Wscript.Shell

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027 obfuscated_vbs: Detected obfuscated VBS
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files

Discovery

T1033 wscript_info_discovery: Collects info about system with Wscript.Shell
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1083 checks_recent_files: Attempt to check recently opened files through registry
T1082 wscript_info_discovery: Collects info about system with Wscript.Shell

Command and Control

T1071 network_wscript_downloader: Wscript.exe initiated network communication
T1105 suspicious_download: Attempts to download suspicious file
T1071.001 office_exploit_http: The document exhibits suspicious behaviour (performs HTTP requests)
T1071.004 office_exploit_dns: The document exhibits suspicious behaviour (performs DNS requests)
T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules
code_share_services: Connects to text storage services (potentially for malicious payload delivery)
creates_exe: Creates executable files in the file system
suspicious_process_network: Unusual process network activity detected
unexpected_exception: Unexpected exception
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
suricata_alert: Malicious traffic detected