Managed XDR

0dcd9172d7c5e0ad52e470ccbb6f84db-del.docx — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
0dcd9172d7c5e0ad52e470ccbb6f84db-del.docx
Тип файла
Zip archive data, at least v2.0 to extract
Размер файла
4.9 MB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x64 en

Хеши

SHA1
74e7f2c82487d13a23c6f86212842d586732e516
SHA256
454b3c24ba689a3139a118314ab628d35a09f81a525b160412e7d933c03f9177
MD5
35ffa688c33c8f187f2a20b9b1e7b326

Сигнатуры

Execution

T1204.002 mimics_extension: Attempts to mimic the file extension

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1036 mimics_extension: Attempts to mimic the file extension

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1135 server_share_info: Retrieves information about each shared resource on a server

Command and Control

T1071.004 network_dns_tunneling_request: Generates suspicious DNS queries (indicative of DNS tunneling)

Other

suricata_alert: Malicious traffic detected
office_embedded: Office document contains embedded executable file(s)
creates_in_windows: Creates files in the Windows directory
creates_exe: Creates executable files in the file system
dns_freehosting_domain: Uses a free hosting domain, possibly malicious
dns_without_resolve: DNS query without a response
dead_host: Connects to IP addresses that do not respond to requests
empty_filename: Creates executable file with an empty name
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay
yara_rules: Static rules