Managed XDR

c-programdata-microsof...filesync-beginsync.lnk — malware analysis report

File info

Filename
c-programdata-microsoft-onedrive-filesync-beginsync.lnk
File type
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat Dec 7 09:09:37 2019, mtime=Sat Dec 7 09:09:37 2019, atime=Sat Dec 7 09:09:37 2019, length=52224, window=hidenormalshowminimized
File size
1.3 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
194c81b617a4523b789bca3fe1023a07a7d32f5a
SHA256
64190668d3e17a39b37304124c480bb65255976790a1d439d43f310a0594a2a1
MD5
1d8daed5351907ca94d0c52f488f8c5d

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1564.001 stealth_file: Creates hidden or system files
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1057 has_wmi: Executes one or several WMI requests
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1518 locates_browser: Attempts to identify where browsers are installed

Command and Control

T1102.003 cloud_discord: Connects to cloud services of Discord (potentially for malicious payload delivery)
T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)
T1071.001 network_http: Performs HTTP requests

Other

code_share_services: Connects to text storage services (potentially for malicious payload delivery)
creates_exe: Creates executable files in the file system
network_powershell: Powershell process network connection detected
network_ftp: Performs FTP requests
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
yara_rules: Static rules