Managed XDR

nf-9eac306f-d134-4609-9c58ogt.pdf.lnk — malware analysis report

File info

Filename
nf-9eac306f-d134-4609-9c58ogt.pdf.lnk
File type
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon, Archive, ctime=Sat Sep 15 07:14:14 2018, mtime=Sat Sep 15 07:14:14 2018, atime=Sat Sep 15 07:14:14 2018, length=261712, window=hidenormalshowminimized
File size
2 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
34229042b8ea4d42ffce7bd22cbc5774ce3a0385
SHA256
1028df04b9bfb4806032b8cfcb952cf9c1c153d102974cac07a33109a74d63b0
MD5
c1fcfdbc3bfca28ff7c7952f88e12d68

Signatures

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1057 has_wmi: Executes one or several WMI requests
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1082 has_wmi: Executes one or several WMI requests
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

network_bind: Starts servers listening at None
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
yara_rules: Static rules