Managed XDR

document_23091.lnk — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
document_23091.lnk
Тип файла
MS Windows shortcut, Item id list present, Has Description string, Has Working directory, Has command line arguments, Icon number=13, Archive, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized
Размер файла
2.9 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
5b8a40da7e1fdab9113a0806dcb7fc7221baa880
SHA256
e4970b0e51beca979821d0f99da04b4166bfeb7c5ca54f2904f103cb8f8aa2a4
MD5
27012387fc6b9d9eea06959ed1f507b6

Сигнатуры

Execution

T1059.003 suspicious_process: Spawns a suspicious process
T1047 has_wmi: Executes one or several WMI requests
T1059.003 suspicious_cmd: Executes cmd.exe with a suspicious command line
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Persistence

T1037 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1037 persistence_autorun: Makes itself run automatically on Windows startup
T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1218 wmic_create_process: Creates a process using wmic.exe utility
T1027 suspicious_cmd: Executes cmd.exe with a suspicious command line
T1497 debugs_self: Creates a process and debugs it
T1218 suspicious_cmdline: Executes a suspicious command
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization

Discovery

T1082 recon_systeminfo: Collects system information (ipconfig, netstat, systeminfo, net)
T1057 has_wmi: Executes one or several WMI requests
T1497 debugs_self: Creates a process and debugs it
T1033 queries_username: Gets username
T1518 locates_browser: Attempts to identify where browsers are installed
T1016 get_hostname: Attempts to get hostname
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization

Command and Control

T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

opens_document: Opens office documents
creates_exe: Creates executable files in the file system
creates_doc: Creates (office) documents in the file system
creates_in_windows: Creates files in the Windows directory
creates_suspended_process: Creates suspended process
test_check_service: Starts services
suricata_alert: Malicious traffic detected