Managed XDR

c-users-user-appdata-l...dh.i2y-2025_448157.lnk — malware analysis report

File info

Filename: c-users-user-appdata-local-temp-5blnacdh.i2y-2025_448157.lnk
File type: MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=121, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized
File size: 1.9 KB
First seen: 2025-11-12 12:24
Last seen: 2025-11-12 12:24

Environment

w10/x86 en

Hashes

SHA1: c157e587545ba74980026bd082301e23cc2c002f
SHA256: a55733d4055fe83817b865638b71690fe8f32de77eec04498171fd7e1cb3eb67
MD5: 002bca1bb5ccc22049aa918aafc174a7

Signatures

Execution

T1204 suspicious_lnk: LNK file with suspicious content

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059 finger_abuse: Abusing finger.exe to download payload

T1059.003 suspicious_cmd_process: Cmd.exe without commandline launches a new process

T1059.001 suspicious_process: Spawns a suspicious process

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218.011 rundll_shell32: Uses ShellExec_RunDLL to run an executable file

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1497.001 antivm_queries_computername: Retrieves the computer name

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.001 antivm_queries_computername: Retrieves the computer name

Collection

T1560.001 cmdline_tar: Uses tar utility to compress or decompress data

Command and Control

T1071.001 network_http: Performs HTTP requests

T1105 cmdline_curl: Uses curl utility for network data transferring

Other

creates_exe: Creates executable files in the file system

executes_dropped_exe: Executes dropped exe files

network_bind: Starts servers listening at 127.0.0.1:0

creates_doc: Creates (office) documents in the file system

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

yara_rules: Static rules

Managed XDR