Managed XDR

reverse-tcp-shell-to-10.doc — malware analysis report

File info

Filename
reverse-tcp-shell-to-10.doc
File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Joseph Rapley, Template: Normal.dotm, Last Saved By: Joseph Rapley, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 12:00, Create Time/Date: Wed Apr 17 22:18:00 2024, Last Saved Time/Date: Wed Apr 17 23:31:00 2024, Number of Pages: 1, Number of Words: 5, Number of Characters: 34, Security: 0
File size
36 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
822cf7164c722030df8ae43f2c8a01b9f6021292
SHA256
4f339ae0b1e4a4643f32d690a30dc7bee3b838cb48b4cf188718e5d354e09f95
MD5
ab9c2481473fcd6bd00fb1f097ff6aac

Signatures

Execution

T1203 office_exploit_crash: Microsoft Office process crashes (failed exploitation of a vulnerability is possible)
T1203 office_start_thread: Allocates memory and starts a thread inside an office application
T1064 office_macros_suspicious: Document contains suspicious macro
T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1064 office_macros_suspicious: Document contains suspicious macro
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro

Credential Access

T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files

Discovery

T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1083 checks_recent_files: Attempt to check recently opened files through registry

Other

yara_rules: Static rules
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card