Managed XDR

sangfor-af-00000000000...c16c0d055bcbed305bbe5f — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
sangfor-af-00000000000000000000000000000000-101054b86ec16c0d055bcbed305bbe5f
Тип файла
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1200, Locale ID: 2052, Title: 30Pl, Author: use, Template: Normal, Last Saved By: Del, Revision Number: 2, Create Time/Date: Fri Apr 28 10:29:00 2023, Last Saved Time/Date: Fri Feb 21 03:23:52 2025, Last Printed: Wed Jun 17 04:54:00 2009, Number of Pages: 37, Number of Words: 11215, Number of Characters: 11908, Name of Creating Application: WPS Office_11.8.2.11716_F1E327B, Security: 0
Размер файла
620.1 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
ecbc30881784087da71f06f85247e805084759ec
SHA256
1aca6e4af9c456cbd0aeba16978c39bac5cde0b1dec39de27a371ed0985178cb
MD5
101054b86ec16c0d055bcbed305bbe5f

Сигнатуры

Execution

T1204.002 office_vb_load: Microsoft Office is loading VB DLL files (macros usage indicator)
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1064 office_macros: The document contains macro
T1064 office_macros_autoexec: The document contains an auto-start macro
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed
T1135 server_share_info: Retrieves information about each shared resource on a server
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
create_rpc_bindings: Creates RPC connection
error_drawtext: An error occured while executing the file
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card
checktokenmembership: Checks user token with CheckTokenMembership call