Managed XDR

photo_2026-05-015_953.lnk — malware analysis report

File info

Filename: photo_2026-05-015_953.lnk
File type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon, Archive, ctime=Thu May 14 10:10:38 2026, mtime=Tue May 19 04:15:09 2026, atime=Thu May 14 10:10:38 2026, length=339968, window=hidenormalshowminimized
File size: 1.9 KB
First seen: 2026-05-30 19:34
Last seen: 2026-05-30 19:34

Environment

w10/x64 en

Hashes

SHA1: 2562b62d50a0f65604fe570eb4e4548406cda558
SHA256: bfba69a04e502f711fd4b71758c059b9a28ae4eebbc873426674a6bac7d26b6e
MD5: b0fbed7ef07421b102c425b5097d62c4

Signatures

Execution

T1204 suspicious_lnk: LNK file with suspicious content

T1059.001 suspicious_powershell: Creates suspicious PowerShell process

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

T1059.001 url_cmdline: Cmdline of process contains URL

T1059.003 suspicious_cmd: Executes cmd.exe with a suspicious command line

T1059.003 executes_dropped_cmd: Executes dropped batch files

T1059.003 url_cmdline: Cmdline of process contains URL

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Defense Evasion

T1218 suspicious_cmdline: Executes a suspicious command

T1027 suspicious_cmd: Executes cmd.exe with a suspicious command line

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1057 has_wmi: Executes one or several WMI requests

T1082 has_wmi: Executes one or several WMI requests

T1518 locates_browser: Attempts to identify where browsers are installed

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1105 cmdline_curl: Uses curl utility for network data transferring

Other

network_bind: Starts servers listening at None

creates_exe: Creates executable files in the file system

creates_suspended_process: Creates suspended process

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

yara_rules: Static rules

Managed XDR