Managed XDR

omnibeesreservas_2022067095.ppa (Revenge-RAT) — malware analysis report

File info

Filename: omnibeesreservas_2022067095.ppa
File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Daniel Silva, Last Saved By: Daniel Silva, Revision Number: 33, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 1d+04:04:05, Create Time/Date: Thu Aug 29 06:41:24 2024, Last Saved Time/Date: Fri Aug 30 10:45:30 2024, Number of Words: 0
File size: 188 KB
First seen: 2024-09-02 09:34
Last seen: 2024-09-02 09:34

Environment

win7/x86 en

Hashes

SHA1: 9ac6113998d71412aa0ea62d26a5e89e7bbd63e1
SHA256: 59b678762d416da417134de6ea9f743b66a6f654a303f2b85453675be35b2522
MD5: cd52b25ef805289bc3a37435d059458b

Malwares

Revenge-RAT

Signatures

Execution

T1059.001 suspicious_powershell: Suspicious document behaviour (creates powershell process)

T1059.001 suspicious_process: Spawns a suspicious process

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)

T1064 office_macros: The document contains macro

T1064 office_macros_autoexec: The document contains an auto-start macro

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection

T1055.002 inject_write_pe: Writes PE file to another process's memory

T1027 office_macros_hex_strings: Lines in hex found in document macro

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1064 office_macros: The document contains macro

T1064 office_macros_autoexec: The document contains an auto-start macro

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1518.001 wmi_check_av: Uses WMI to check for installed antivirus software

T1057 has_wmi: Executes one or several WMI requests

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1082 has_wmi: Executes one or several WMI requests

T1518 locates_browser: Attempts to identify where browsers are installed

T1083 checks_recent_files: Attempt to check recently opened files through registry

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Other

yara_rules: Static rules

modifies_certs: Attempts to generate or modify system certificates

office_summary: The document contains suspicious metadata

creates_suspended_process: Creates suspended process

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card