Managed XDR

ink.lnk — malware analysis report

File info

Filename
ink.lnk
File type
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 02:04:06 2024, mtime=Mon Jan 20 08:55:52 2025, atime=Sat Dec 7 02:04:06 2024, length=339968, window=normal
File size
1.9 MB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
d1e9a77c689d1c2824385d29e2de737879b18b26
SHA256
71a1205be3600bea40d04bd377d79132ee7d59ef54966f7f9e02ba4bb4ec5b30
MD5
e1669774344e53c1d7c46d1fdbae0ff3

Signatures

Execution

T1204 suspicious_lnk: LNK file with suspicious content

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1140 unpacking_utilities: Uses Windows utilities to unpack data
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070.004 self_removal_command: Executes command to delete itself

Credential Access

T1552 infostealer_ftp: Collects data from local FTP clients

Other

creates_in_windows: Creates files in the Windows directory
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
creates_suspended_process: Creates suspended process
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
yara_rules: Static rules
Managed XDR