Managed XDR
Group-IB MDP Report
File info
Filename: vtdl_yjjf2_2l
File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=1, Archive, ctime=Sun Oct 1 20:50:20 2023, mtime=Sun Oct 1 20:50:20 2023, atime=Mon Jan 1 04:48:41 2018, length=14848, window=hide
File Size: 1009 Bytes
Env info
win7/x86 en
Hashes
SHA1: a408c1e492d2d07acf95c2b9fc22054dbbfb9a02
SHA256: ab4f4c94ea2077eae27a65528dcbc2a701ae97a193510f1a248209e8cc228841
MD5: 07d7f90f7ce7af61bfa70feca4aae75c
Signatures
Execution
T1204 suspicious_lnk: LNK file with suspicious content
T1059.003 suspicious_process: Spawns a suspicious process
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1218 suspicious_cmdline: Executes a suspicious command
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Credential Access
T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files
Command and Control
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
Other
yara_rules: Static rules
suspicious_process_network: Unusual process network activity detected
dead_host: Connects to IP addresses that do not respond to requests
unexpected_exception: Unexpected exception
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
next report: 487e9231-5d1a-4eb3-962c-7e427891617f
previous report: 2ba3db0a-6e80-4028-9011-67ba4b5a78e8
Managed XDR