2025-05-08-e514831315e45373f80c9fb313d3f97e86f387d93f1de1ae8f0f1a208182251b.lnk

Managed XDR

Group-IB MDP Report

Filename: 2025-05-08-e514831315e45373f80c9fb313d3f97e86f387d93f1de1ae8f0f1a208182251b.lnk

File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat May 7 05:19:27 2022, mtime=Tue Mar 25 05:45:30 2025, atime=Sat May 7 05:19:27 2022, length=33, window=hidenormalshowminimized

File Size: 2.3 KB

SHA1: 28c24256b4d97b310b5c0fdb344bd3801b646cb0 SHA256: e514831315e45373f80c9fb313d3f97e86f387d93f1de1ae8f0f1a208182251b MD5: 706ee3d9e5e6626b368ef982c7707182

Signatures

Execution

T1059.001 url_cmdline: Cmdline of process contains URL

T1059.003 suspicious_batch: Suspicious batch

T1059.003 url_cmdline: Cmdline of process contains URL

T1059.006 drops_python_dll: Drops python dll

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1547.009 suspicious_desktop_ini: Creates desktop.ini file with suspicious content

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1547.009 suspicious_desktop_ini: Creates desktop.ini file with suspicious content

Defense Evasion

T1218 suspicious_cmdline: Executes a suspicious command

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1564.001 stealth_file: Creates hidden or system files

T1497 debugs_self: Creates a process and debugs it

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Credential Access

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1497 debugs_self: Creates a process and debugs it

T1135 server_share_info: Retrieves information about each shared resource on a server

T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Command and Control

T1071.001 network_http: Performs HTTP requests

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

yara_rules: Static rules

drops_interpreter: Creates intrepreter binary file

opens_document: Opens office documents

creates_exe: Creates executable files in the file system

suspicious_process_network: Unusual process network activity detected

creates_doc: Creates (office) documents in the file system

executes_dropped_exe: Executes dropped exe files

unexpected_exception: Unexpected exception

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

suricata_alert: Malicious traffic detected

next report: 46870496-13aa-47f7-b9bb-e63788f989c5

previous report: 2e4e8aa7-1f27-42f0-b57d-d5061e53f55a

Managed XDR