vtdl_1734705851_0k39qr5c | Group-IB MDP Reports

Managed XDR

Group-IB MDP Report

File info

Filename: vtdl_1734705851_0k39qr5c

File Type: SMTP mail, ASCII text, with very long lines, with CRLF line terminators

File Size: 956 KB

Env info

w10/x86 en

Hashes

SHA1: 5221471ef70bae91cbf7433052e2077a18211f4d

SHA256: 3f8058e5dbcb2a8bfd757c7bf0e6cd8b56d1636f017ca94cea3575815ef7c29b

MD5: 1cf71998c5925e55ad9f78dd84af1509

Malwares

Agent Tesla

Signatures

Initial Access

T1192 html_urls: HTML-document downloads a file

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059.001 suspicious_process: Spawns a suspicious process

T1059.003 suspicious_process: Spawns a suspicious process

T1059.005 obfuscated_vbs: Detected obfuscated VBS

T1064 office_macros: The document contains macro

T1059.001 url_cmdline: Cmdline of process contains URL

T1059.003 url_cmdline: Cmdline of process contains URL

T1059.005 bad_vbs: Suspicious VBScript file

T1204.002 office_com_load: Microsoft Office loads COM DLL files (indicator of COM usage in macros)

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070 stealth_window: A process created a hidden window

T1027.004 compiles_code: Compiles C# code

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1027 obfuscated_vbs: Detected obfuscated VBS

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

T1064 office_macros: The document contains macro

Discovery

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Command and Control

T1071.001 network_http: Performs HTTP requests

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules

suricata_alert: Malicious traffic detected

creates_exe: Creates executable files in the file system

create_process_failed: Could not start the process

suspicious_process_network: Unusual process network activity detected

network_powershell: Powershell process network connection detected

office_summary: The document contains suspicious metadata

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

test_check_service: Starts services

office_links: Office file contains external links

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card

checktokenmembership: Checks user token with CheckTokenMembership call

next report: 2d82647c-aa66-4f54-9a30-093d39dfc9cd

previous report: 902fcc77-99f9-4939-b873-6f4f81ad4622

Managed XDR