Managed XDR
Group-IB MDP Report
Filename: banload.lnk
File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Sat Jul 16 13:18:48 2016, mtime=Sat Jul 16 13:18:48 2016, atime=Sat Jul 16 13:18:48 2016, length=232960, window=hidenormalshowminimized
File Size: 2.5 KB
SHA1: 29042ae16e981943d847de36551915a25956712b SHA256: 392df6611c105e6ae4ba47e23fbcb8a46467bce47822bdfe6a9d45fdc06e853a MD5: 62f856535cc2afd8e4023bc8d5596221
Signatures
Execution
T1204 suspicious_lnk: LNK file with suspicious content
T1059.007 mshta_javascript: Runs JavaScript using mshta
T1059.003 suspicious_process: Spawns a suspicious process
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Credential Access
T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files
Command and Control
T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
Other
yara_rules: Static rules
modifies_certs: Attempts to generate or modify system certificates
suspicious_process_network: Unusual process network activity detected
unexpected_exception: Unexpected exception
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
next report: a17a0b15-8453-428f-ad3c-457dc7387a3f
previous report: 6c7a5cb0-9645-453d-b314-37f5892aebbc
Managed XDR