Managed XDR

07-26-po-17296-zahra-tul-shams-est.doc — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
07-26-po-17296-zahra-tul-shams-est.doc
Тип файла
Rich Text Format data, version 1, unknown character set
Размер файла
3.6 MB
Первое обнаружение
Последнее обнаружение

Окружение

win7/x64 en

Хеши

SHA1
b1c384db01d646e9b84e75c30cf49942ecc5d7cf
SHA256
e0d9ebdf95402e879b9bc1fb8f8e59b837e184b72dd80b3596baca9da218b31c
MD5
fbc15e023c990b04bcb3ac2a8f3e2ba7

Сигнатуры

Persistence

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562 dep_disable: Disables DEP
T1574.011 persistence_services: Modifies Services registry key
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1082 checks_firmware: Attempts to read firmware information (potentially for evasion)

Other

yara_rules: Static rules
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card