Managed XDR

fbd1ksh8qtqpqrom.doc — malware analysis report

File info

Filename
fbd1ksh8qtqpqrom.doc
File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: LIFENET Exchange Enterprise Bus to Enterprise System Interface Control Document, Subject: Medtronic Cover Sheet, Author: Alexander Frolov, Comments: Added Sync Asset Data and Asset Data messages to support LIFENET Cardiac Care System Release 4 Asset Awareness feature. Removed unused messages Account Is Added, Account Is Updated, Account Is Deleted, Node Is Added, Node Is Updated, Node Is Deleted, User Is Added, User Is Updated, User Is Deleted, Equipment Is Added, Equipment Is Updated, and Equipment Is Deleted. These messages were intended to be used for SuperLinus integration. See redline for detail of changes., Template: 7000377.A.ICD.dot, Last Saved By: Seely, Robyn, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Last Printed: Tue May 30 01:45:00 2006, Create Time/Date: Tue Apr 1 16:37:00 2025, Last Saved Time/Date: Tue Apr 1 16:37:00 2025, Number of Pages: 10, Number of Words: 1789, Number of Characters: 10199, Security: 0
File size
211 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
72cc6b19252f061ad7be365bb0fe5fe8f63f8891
SHA256
c70cf722789ed390b611e88d08bc7ebb560ab8337883a3ce48c774c878337891
MD5
dbd8983cd9fe7911a7eabbf6fdbcd61e

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents

Credential Access

T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1083 checks_recent_files: Attempt to check recently opened files through registry

Other

yara_rules: Static rules
office_suspicious_data: Office file contains suspicious data
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
office_links: Office file contains external links
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card