Managed XDR

fbd1ksh8qtqpqrom.doc — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
fbd1ksh8qtqpqrom.doc
Тип файла
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: LIFENET Exchange Enterprise Bus to Enterprise System Interface Control Document, Subject: Medtronic Cover Sheet, Author: Alexander Frolov, Comments: Added Sync Asset Data and Asset Data messages to support LIFENET Cardiac Care System Release 4 Asset Awareness feature. Removed unused messages Account Is Added, Account Is Updated, Account Is Deleted, Node Is Added, Node Is Updated, Node Is Deleted, User Is Added, User Is Updated, User Is Deleted, Equipment Is Added, Equipment Is Updated, and Equipment Is Deleted. These messages were intended to be used for SuperLinus integration. See redline for detail of changes., Template: 7000377.A.ICD.dot, Last Saved By: Seely, Robyn, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Last Printed: Tue May 30 01:45:00 2006, Create Time/Date: Tue Apr 1 16:37:00 2025, Last Saved Time/Date: Tue Apr 1 16:37:00 2025, Number of Pages: 10, Number of Words: 1789, Number of Characters: 10199, Security: 0
Размер файла
211 KB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x86 en

Хеши

SHA1
72cc6b19252f061ad7be365bb0fe5fe8f63f8891
SHA256
c70cf722789ed390b611e88d08bc7ebb560ab8337883a3ce48c774c878337891
MD5
dbd8983cd9fe7911a7eabbf6fdbcd61e

Сигнатуры

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1083 checks_recent_files: Attempt to check recently opened files through registry

Other

yara_rules: Static rules
office_suspicious_data: Office file contains suspicious data
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
office_links: Office file contains external links
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card