Managed XDR

vtdl_1739847600_lii3gt1o — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
vtdl_1739847600_lii3gt1o
Тип файла
Microsoft OOXML
Размер файла
2.6 MB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
49e4d2681e8687023880e3d7b6b667d49c6a8b1b
SHA256
a26f53f913292ddc2dc77f7378d6bb3d2d1f35d6762b98ff465c5cd5decd0947
MD5
13b745f4308ae0e64c1fb940b62338a0

Сигнатуры

Execution

T1203 office_exploit_creates_cmd: The document exhibits suspicious behaviour (creates a cmd.exe process)
T1203 suspicious_msapp: Suspicious execution of Microsoft Application (possible exploitation)
T1559 dde_auto: Office document has a DDEAUTO executable command
T1559 dde_img: Office document has an INCLUDEPICTURE with external link

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name
T1083 checks_recent_files: Attempt to check recently opened files through registry
T1135 server_share_info: Retrieves information about each shared resource on a server

Other

yara_rules: Static rules
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
office_links: Office file contains external links
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card