Managed XDR

c-programdata-microsof...filesync-beginsync.lnk — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
c-programdata-microsoft-onedrive-filesync-beginsync.lnk
Тип файла
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat Dec 7 09:09:37 2019, mtime=Sat Dec 7 09:09:37 2019, atime=Sat Dec 7 09:09:37 2019, length=52224, window=hidenormalshowminimized
Размер файла
1.3 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
cbb99f972e16818206672aa778f9387eba26544d
SHA256
298ae59865f7f4500a0ed267634f7bfae9b0bf2f03bf704a4c06faa547d98cd3
MD5
4f59b3f3ed2de2f41833b0edfa3f300a

Сигнатуры

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1564.001 stealth_file: Creates hidden or system files
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1057 has_wmi: Executes one or several WMI requests
T1518 locates_browser: Attempts to identify where browsers are installed

Command and Control

T1102.003 cloud_discord: Connects to cloud services of Discord (potentially for malicious payload delivery)
T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)
T1071.001 network_http: Performs HTTP requests

Other

code_share_services: Connects to text storage services (potentially for malicious payload delivery)
creates_exe: Creates executable files in the file system
network_powershell: Powershell process network connection detected
network_ftp: Performs FTP requests
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
yara_rules: Static rules