Managed XDR
Group-IB MDP Report
File info
Filename: vtdl_1734577780_2mdv5xgj
File Type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Admin, Last Saved By: Admin, Name of Creating Application: Microsoft Excel, Last Printed: Fri Jul 26 04:46:49 2024, Create Time/Date: Fri Jun 7 04:19:34 2013, Last Saved Time/Date: Wed Dec 11 11:10:03 2024, Security: 0
File Size: 4.9 MB
Env info
win7/x86 en
Hashes
SHA1: 1376596ca9f9d34533e09d47b56b350570510a22
SHA256: eb469bd9b08679c03ef5fc18ee33209badf4e8b39b5d651209c9cec73fbfda33
MD5: 3071576f286332137268d713af1e752c
Signatures
Execution
T1064 office_macros: The document contains macroses (total: 2)
T1064 office_macros_autoexec: The document contains an auto-start macro
T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1064 office_macros: The document contains macroses (total: 2)
T1064 office_macros_autoexec: The document contains an auto-start macro
T1027 office_macros_entropy: The document contains a macro with high entropy (a possible sign of obfuscation)
Credential Access
T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files
Discovery
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1135 server_share_info: Retrieves information about each shared resource on a server
T1083 checks_recent_files: Attempt to check recently opened files through registry
Other
yara_rules: Static rules
creates_exe: Creates executable files in the file system
office_summary: The document contains suspicious metadata
create_rpc_bindings: Creates RPC connection
break_limit_exceeded: Warning: function calls limit has been exceeded
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
next report: 72638a2e-0511-44f6-b9e0-afbda89548ec
previous report: eb5e2860-b5aa-4494-9e8b-1273f3c68a95
Managed XDR