Managed XDR

ink.lnk — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
ink.lnk
Тип файла
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 02:04:06 2024, mtime=Mon Jan 20 08:55:52 2025, atime=Sat Dec 7 02:04:06 2024, length=339968, window=normal
Размер файла
1.9 MB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x86 en

Хеши

SHA1
70018626f449a913fb9e58aa8f756c707d546ebd
SHA256
e2db5a3e338487fd6609186e2d0b5c5acbc8bbf945fcd5ecc223fbd0bb5f6fb9
MD5
6eb8c6f6a737da543b6a82d109e0d072

Сигнатуры

Execution

T1204 suspicious_lnk: LNK file with suspicious content
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070.004 self_removal_command: Executes command to delete itself

Discovery

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1518 locates_browser: Attempts to identify where browsers are installed

Other

yara_rules: Static rules
creates_exe: Creates executable files in the file system
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
Managed XDR