c-users-user-appdata-local-temp-k5jhi2dh.k05-itaucomprovante-76091-9651.pdf.lnk

Managed XDR

Group-IB MDP Report

File info

Filename: c-users-user-appdata-local-temp-k5jhi2dh.k05-itaucomprovante-76091-9651.pdf.lnk

File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Sat May 8 08:16:08 2021, mtime=Sat May 8 08:16:08 2021, atime=Sat May 8 08:16:08 2021, length=450560, window=hide

File Size: 1.6 KB

Env info

win7/x86 en

Hashes

SHA1: 80de6fc648c74ff4665da8ae283fe8e8858fa0c0

SHA256: aff624c20bc7f4e2b5654d2de5e55f12eda87c9dfd9cc7c9585b85a0c8109dff

MD5: 0be69b5eb57fcbfd88e2d43f493e9dc6

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1204 suspicious_lnk: LNK file with suspicious content

T1059.001 suspicious_process: Spawns a suspicious process

T1059.001 url_cmdline: Cmdline of process contains URL

T1059.003 url_cmdline: Cmdline of process contains URL

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 suspicious_cmdline: Executes a suspicious command

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Other

yara_rules: Static rules

unexpected_exception: Unexpected exception

creates_suspended_process: Creates suspended process

get_policy_info: Retrieves information about a Policy object

next report: 305d1ba9-fa8c-497b-9161-13a7996c123a

previous report: 81c11f53-4671-40ca-bd6d-c08b2370573d

Managed XDR