Managed XDR

autorecovery-save-of-document.asd — malware analysis report

File info

Filename
autorecovery-save-of-document.asd
File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: aVSguvcYgz, Template: Normal.dotm, Last Saved By: PUojNVfFsa, Revision Number: 95, Name of Creating Application: Microsoft Office Word, Total Editing Time: 40:00, Create Time/Date: Mon Jan 6 21:20:00 2025, Last Saved Time/Date: Wed Mar 26 08:37:00 2025, Number of Pages: 1, Number of Words: 8, Number of Characters: 47, Security: 0
File size
12.2 MB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
4ad27a1136ea1b534f4126a84b419020d2ed1ef2
SHA256
c5236d9e8c47fa93dc18ebe74b7f8ddbd9533e5a488f5fed3cb00884e1a8b57e
MD5
261a750d478f6bdca7ce5f6f12b3719a

Signatures

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1569.002 persistence_service: Starts newly created service
T1059.003 suspicious_process: Spawns a suspicious process
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Persistence

T1543.003 creates_service: Creates a service, that will start automatically
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562.004 bypass_firewall: Changes local firewall configuration and policies
T1562.001 disables_security: Disables Windows Security options
T1112 wu_server: Sets or changes an update server used by Windows Update
T1112 stealth_hide_notifications: Attempts to change notification settings
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1574.011 persistence_services: Modifies Services registry key
T1036 system_filename: Created a file named as a common system file
T1036 system_procname: Created a process named as a common system process
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.002 antisandbox_foregroundwindows: Checks whether any human activity is being performed by constantly checking whether the foreground window has changed
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_queries_computername: Retrieves the computer name

Discovery

T1010 checks_window_classname: Waits for a particular window to become active
T1057 pidbruteforce: Enumerates processes using PID Bruteforce
T1057 process_interest: Enumerates processes
T1497.002 antisandbox_foregroundwindows: Checks whether any human activity is being performed by constantly checking whether the foreground window has changed
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1049 list_ts_rdp_sessions: Lists ts/rdp sessions
T1497.001 antivm_queries_computername: Retrieves the computer name
T1082 wts_enumproc: Attempts to enumerate processes using WTS

Impact

T1489 stops_service: Stops Windows services
T1485 deletes_files: Removes 100 or more files from C: drive
T1489 service_control_stop: Stops services via ControlService

Other

office_embedded: Office document contains embedded executable file(s)
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
create_rpc_bindings: Creates RPC connection
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
message_box: Displays a message
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
checktokenmembership: Checks user token with CheckTokenMembership call
open_winlogon_process: Trying to open winlogon process
yara_rules: Static rules