Continuing with the Incident Responder Path, we tackle an HIGH alert for an ZDI-CAN-25373 Windows Shortcut Exploit Detected". Was this a misconfiguration, a false positive or possibly something more malicious?
EventID: 317
Event Time: Mar, 20, 2025, 01:48 PM
Rule: SOC339 - ZDI-CAN-25373 Windows Shortcut Exploit Detected
Level: Incident Responder
Hostname: Cooper
IP Address: 172.16.17.217
File Name: 2025AnnualReport.lnk
File Path: C:\Users\LetsDefend\Downloads\
File Hash: 6F927D74FB2075C60F2F7795B718CA571947F3D1E7B591D2D2FD5A35DD5503F8
Trigger Reason: Shortcut (LNK) file executing a powershell script was detected, indicating potential malware activity.
L1 Notes: Upon investigation, the file was found to originate from an email attachment named 2025AnnualReport.zip. The execution of this LNK file triggered a powershell process, which then initiated further suspicious commands. Assigning for further investigations.
2025annualreport.7z:
https://www.virustotal.com/gui/file/2c8845c1680c9e6f8689112f1bc97f5fc8a4c8f4ae8841ba7667b1b440ee8565
2025AnnualReport.lnk:
https://www.virustotal.com/gui/file/6f927d74fb2075c60f2f7795b718ca571947f3d1e7b591d2d2fd5a35dd5503f8
IPs/URLs:
https://www.virustotal.com/gui/ip-address/3.5.132.248
https://www.virustotal.com/gui/ip-address/18.223.186.129
https://www.virustotal.com/gui/url/6ac3816fbfbc6ccb5441ed5bf4a0ed0eca4fecb9ccf4bef75f6d378d2604ef29
NOTES:
-
