Managed XDR

runscript.lnk — malware analysis report

File info

Filename
runscript.lnk
File type
MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized
File size
1.6 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
47f14a99160309829d70bab2b0b3233ea994b1be
SHA256
5206ed4803efd7b24fc575b772a163ab06300820c84744670af2b29b0c94f9c3
MD5
1fea1f181d0ded434cd5f488893ce51b

Signatures

Execution

T1204 suspicious_lnk: LNK file with suspicious content
T1059.001 suspicious_process: Spawns a suspicious process
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 suspicious_cmdline: Executes a suspicious command
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed

Other

unexpected_exception: Unexpected exception
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
yara_rules: Static rules