Managed XDR

26-e5-8f-b7-e9-99-84-e4-bb-b6.xls (ZLoader) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: 26-e5-8f-b7-e9-99-84-e4-bb-b6.xls
Тип файла: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Last Saved By: VNN.R9, Last Printed: Thu Sep 20 06:27:49 2012, Create Time/Date: Wed Sep 19 01:37:16 2012, Last Saved Time/Date: Thu Sep 20 06:28:12 2012, Security: 0
Размер файла: 113.5 KB
Первое обнаружение: 2025-07-01 07:47
Последнее обнаружение: 2025-07-01 07:47

Окружение

win7/x86 en

Хеши

SHA1: 9587426039d57d1a4edaad36ff73aeea68b70782
SHA256: c961b9f3f381ea9ae9b14aac1d7c2b75b1f8dc26ff5e158303b22c585e6289af
MD5: c2ae5b6de8f6345d04d3a357381197dd

Вредоносное ПО

ZLoader

Сигнатуры

Execution

T1064 office_macros_hidden: Document contains suspicious Excel 4.0 macro

T1203 office_exploit_creates_cmd: The document exhibits suspicious behaviour (creates a cmd.exe process)

T1064 office_macros_suspicious: Document contains suspicious macro

T1204.002 office_wmi_load: Microsoft Office loads WMI DLL files (WMI usage indicator in macros)

T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)

T1064 office_macros: The document contains macroses (total: 5)

T1064 office_macros_strings: Feature lines found in document macro

T1064 office_macros_autoexec: The document contains an auto-start macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1064 office_macros_hidden: Document contains suspicious Excel 4.0 macro

T1562.001 office_security: Attempts to modify Microsoft Office security settings

T1064 office_macros_suspicious: Document contains suspicious macro

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1064 office_macros: The document contains macroses (total: 5)

T1064 office_macros_strings: Feature lines found in document macro

T1064 office_macros_autoexec: The document contains an auto-start macro

Discovery

T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

T1082 reads_csrss: Attempts to read csrss.exe memory

T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining

Other

yara_rules: Static rules

creates_doc: Creates (office) documents in the file system

office_summary: The document contains suspicious metadata

break_limit_exceeded: Warning: function calls limit has been exceeded

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card