Managed XDR

powershell.exe.lnk — malware analysis report

File info

Filename
powershell.exe.lnk
File type
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Sat Nov 23 22:25:46 2024, mtime=Mon Nov 3 01:03:35 2025, atime=Sat Nov 23 22:25:46 2024, length=455680, window=hide
File size
2.1 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
1ae060af165625f1e5f7b1b78dd60392294d4d2b
SHA256
9dd4eed52a14bacb4559ad95a899ac4c79b344246761496700dcc092c82b0319
MD5
0fe10470c161d8b9c6ad15564d6e78f0

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1518 locates_browser: Attempts to identify where browsers are installed

Other

creates_suspended_process: Creates suspended process
test_check_service: Starts services
yara_rules: Static rules
Managed XDR