Managed XDR
Group-IB MDP Report
File info
Filename: lbb_ps1.ps1
File Type: ASCII text, with very long lines, with CRLF, LF line terminators
File Size: 466.6 KB
Env info
win7/x86 en
Hashes
SHA1: 9397b1ce2b42e8b08431ea55afa951b0d0402c28
SHA256: 2f5051217414f6e465f4c9ad0f59c3920efe8ff11ba8e778919bac8bd53d915c
MD5: 0eff1f3ca94f1c8aeb4b720d6dd54fc3
Malwares
Lockbit
Signatures
Privilege Escalation
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 sets_privilegies_via_rtladjustprivilege: Sets process privilege via RtlAdjustPrivilege
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 sets_privilegies_via_rtladjustprivilege: Sets process privilege via RtlAdjustPrivilege
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_queries_computername: Retrieves the computer name
Discovery
T1497 antidbg_setinformationthread: Attempts to evade debugger using NtSetInformationThread
T1518 locates_browser: Attempts to identify where browsers are installed
T1135 server_share_info: Retrieves information about each shared resource on a server
T1497.001 antivm_queries_computername: Retrieves the computer name
Other
yara_rules: Static rules
lockbit: Detected ransomware Lockbit
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory
checktokenmembership: Checks user token with CheckTokenMembership call
next report: 56cf2dd2-a426-46a7-8fda-ba815488932a
previous report: ce9714c9-b6ec-4d66-867d-8fc501b21e03
Managed XDR