Managed XDR

vtdl_1750488257_qpcmkr0q — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1750488257_qpcmkr0q
Тип файла
Microsoft OOXML
Размер файла
54.6 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
1367055caa50f41e1de5c1281a7605af67bf8581
SHA256
e84c6c8ec70badaff86b6af46cb4a889bd9b78a7575a081aab63b0d72c1c54f2
MD5
561059e79102044dc062ae79c5c16578

Сигнатуры

Execution

T1059 network_wscript_downloader: Wscript.exe initiated network communication
T1204.002 mimics_extension: Attempts to mimic the file extension
T1059.005 obfuscated_vbs: Detected obfuscated VBS

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1036 mimics_extension: Attempts to mimic the file extension
T1027 obfuscated_vbs: Detected obfuscated VBS
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1083 checks_recent_files: Attempt to check recently opened files through registry

Command and Control

T1071 network_wscript_downloader: Wscript.exe initiated network communication
T1071.001 network_http: Performs HTTP requests
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules
office_embedded: Office document contains embedded executable file(s)
create_rpc_bindings: Creates RPC connection
break_limit_exceeded: Warning: function calls limit has been exceeded
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
checktokenmembership: Checks user token with CheckTokenMembership call