Managed XDR

39688cf4.ppt — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
39688cf4.ppt
Тип файла
Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Title: PowerPoint Presentation, Last Saved By: User, Revision Number: 2, Name of Creating Application: Microsoft PowerPoint, Total Editing Time: 02:45, Create Time/Date: Thu Apr 19 02:07:34 2007, Last Saved Time/Date: Thu Jul 3 07:49:52 2008, Number of Words: 0
Размер файла
692.5 KB
Первое обнаружение
Последнее обнаружение

Окружение

winxp/x86 en

Хеши

SHA1
9f7da0a8e348c5b5e45247af67e0dc4e701177c1
SHA256
7a60baa8d3d9ef421c35d697a37e28114ff7de9791c8aeb24333fe2adde1dadd
MD5
3360164bc38d92f4b0af4b2d6563e1f5

Сигнатуры

Execution

T1203 office_write_exe: Office document dropped an executable file
T1559 suspicious_process: Spawns a suspicious process
T1064 office_macros: The document contains macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1064 office_macros: The document contains macro

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1518 locates_browser: Attempts to identify where browsers are installed

Other

yara_rules: Static rules
executes_dropped_exe: Executes dropped exe files
creates_exe: Creates executable files in the file system
creates_in_windows: Creates files in the Windows directory
opens_document: Opens office documents
office_summary: The document contains suspicious metadata
creates_in_programdata: Creates files in the ProgramData directory