Managed XDR

notepad-kopie-2-.iso — malware analysis report

File info

Filename
notepad-kopie-2-.iso
File type
Rich Text Format data, version 1, ANSI
File size
1.1 MB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
d0bd8671ac56389258e3147f327f0ea04a1402de
SHA256
a03d085a5e9c961f65802b0c822930ea78427e43c8a12f5e0e04e7b005988f3f
MD5
135df2bbe6b75a2fba782806dbced158

Signatures

Execution

T1203 office_write_exe: Office document dropped an executable file
T1204.002 mimics_extension: Attempts to mimic the file extension

Persistence

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562 dep_disable: Disables DEP
T1574.011 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1036 mimics_extension: Attempts to mimic the file extension

Discovery

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1135 server_share_info: Retrieves information about each shared resource on a server
T1082 checks_firmware: Attempts to read firmware information (potentially for evasion)

Other

office_embedded: Office document contains embedded executable file(s)
creates_exe: Creates executable files in the file system
http_file_not_found: Attempts to download EXE or DLL file but receives HTML with an error
unsigned_driver_drop: Sample is not signed and drops a device driver
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
office_links: Office file contains external links
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
Managed XDR