Managed XDR

a.doc — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
a.doc
Тип файла
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1200, Title: 5? -, Author: cas, Template: Norm, Last Saved By: GX, Revision Number: 2, Last Printed: Fri Feb 14 18:03:17 2025, Create Time/Date: Wed Sep 30 19:33:00 2020, Last Saved Time/Date: Fri Feb 14 10:27:33 2025, Number of Pages: 5, Number of Words: 1081, Number of Characters: 1211, Name of Creating Application: WPS Office_11.8.2.9958_F1E327B, Security: 0, Locale ID: 2052
Размер файла
42 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
754a56424b5c5c3973dfff870554a57f1375c2e7
SHA256
b5d81d04073ff4dfe1643d263251c8b2debd4d624fa3bb6cdd6f702235cc1e9a
MD5
5c176c89050c23edf97c6e0577f89514

Сигнатуры

Execution

T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
T1135 server_share_info: Retrieves information about each shared resource on a server

Other

yara_rules: Static rules
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
checktokenmembership: Checks user token with CheckTokenMembership call