Managed XDR

tmp-eml_attach_for_sca...adc55177ec5c3f0f1.file — malware analysis report

File info

Filename
tmp-eml_attach_for_scan-62a3a3f33b98e7badc55177ec5c3f0f1.file
File type
Microsoft Excel 2007+
File size
678.6 KB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
d83cde541efdd7bb27012e65b34fe88b8b05ae6e
SHA256
2a1bea64f4e3cb778e737a10cf310d3a38fcd88cbc62d7fb9103cc73e105ae22
MD5
62a3a3f33b98e7badc55177ec5c3f0f1

Signatures

Execution

T1203 exploit_CVE_2017_11882: Exploits CVE-2017-11882 vulnerability
T1203 office_exploit_http: The document exhibits suspicious behavior (performs HTTP requests)

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562 dep_disable: Disables DEP
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1083 checks_recent_files: Attempt to check recently opened files through registry

Command and Control

T1071.001 office_exploit_http: The document exhibits suspicious behavior (performs HTTP requests)
T1071.004 office_exploit_dns: The document exhibits suspicious behavior (performs DNS requests)
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

executes_dropped_exe: Executes dropped exe files
creates_exe: Creates executable files in the file system
modifies_certs: Attempts to generate or modify system certificates
suspicious_process_network: Unusual process network activity detected
suspicious_process: Spawns a suspicious process
unexpected_exception: Unexpected exception
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
yara_rules: Static rules