Managed XDR
Group-IB MDP Report
File info
Filename: bot.lnk
File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat Apr 6 02:16:44 2024, mtime=Thu Dec 19 01:32:46 2024, atime=Sat Apr 6 02:16:44 2024, length=289792, window=hide
File Size: 1.3 KB
Env info
win7/x86 en
Hashes
SHA1: 7b1552d2154b90f160b5e4b6be4842bbd0eb1eb5
SHA256: 2daa5684c446bf9e4d7350785e8437a8005190863a41e3e84c7ff366403f1130
MD5: f19aeb081f88be35c4e035bd9785331c
Signatures
Execution
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1204 suspicious_lnk: LNK file with suspicious content
T1059.003 suspicious_cmd_process: Cmd.exe without commandline launches a new process
T1059.001 suspicious_process: Spawns a suspicious process
T1059.003 suspicious_cmd_process_2: Cmd.exe performs suspicious activity (stdout)
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Discovery
T1518 locates_browser: Attempts to identify where browsers are installed
Other
yara_rules: Static rules
unexpected_exception: Unexpected exception
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
next report: a83495a3-c9af-4cc4-b492-afabd5333a8e
previous report: 08a50df1-5c1b-4885-90e0-a512bfb2a0a7
Managed XDR