Managed XDR

vtdl_1750460000_3qeygydc — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1750460000_3qeygydc
Тип файла
SMTP mail, Non-ISO extended-ASCII text, with CRLF line terminators
Размер файла
43.2 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
44c9a7bd42924d73c5fa0b6c453614ff4a4c0dd2
SHA256
e1b0bdb34b735fa18cd3b9ca5cb238d044db7d3c189849af1d46c8d982081926
MD5
5a6b3c4fcf9d0cf453d868479bec9448

Сигнатуры

Execution

T1203 office_write_exe: Office document dropped an executable file
T1203 office_exploit_crash: Microsoft Office process crashes (failed exploitation of a vulnerability is possible)
T1559 suspicious_process: Spawns a suspicious process
T1204.002 mimics_extension: Attempts to mimic the file extension
T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)

Persistence

T1547.004 persistence_autorun: Makes itself run automatically on Windows startup
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1547.004 persistence_autorun: Makes itself run automatically on Windows startup
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1036 mimics_extension: Attempts to mimic the file extension
T1562.001 office_security: Attempts to modify Microsoft Office security settings
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1027.002 packer_upx: The executable file is compressed using UPX
T1497 office_security_check: Checks Microsoft Office security settings
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1480 system_default_lang_id_present: Checks the system language
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1027.002 packer_vb: The executable file is packed using VB
T1027.002 packer_entropy: Probably contains compressed or encrypted data

Discovery

T1497 office_security_check: Checks Microsoft Office security settings
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Other

yara_rules: Static rules
creates_in_windows: Creates files in the Windows directory
dns_without_resolve: DNS query without a response
process_crashed: One of the processes has failed
unexpected_exception: Unexpected exception
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
origin_langid: Unconventional language of the executable file
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services