Managed XDR

vtdl_58dv27i4 — malware analysis report

File info

Filename
vtdl_58dv27i4
File type
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
File size
1.2 MB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
740a3ebd1996cc666b904412bf729016c01b89b6
SHA256
e7ab168866f91c1417de25ff30c4c128edf8559e03892d5817c9eacd05b230cf
MD5
b35ece38c4ebaa98a3d0181a900040d6

Signatures

Execution

T1059.003 suspicious_process: Spawns a suspicious process
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Defense Evasion

T1497.001 antivm_vbox_devices: Detects VirtualBox through the presence of a device
T1497.001 antivm_vbox_files: Detects VirtualBox through the presence of a file
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1574 dropper_dll: Creates DLL, which is then loaded into the process

Discovery

T1497.001 antivm_vbox_devices: Detects VirtualBox through the presence of a device
T1497.001 antivm_vbox_files: Detects VirtualBox through the presence of a file
T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1082 reads_csrss: Attempts to read csrss.exe memory

Command and Control

T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

yara_rules: Static rules
creates_in_windows: Creates files in the Windows directory
unexpected_exception: Unexpected exception
no_graphical_activity: No graphic activity
valid_authenticode: The digital signature has been verified
break_limit_exceeded: Warning: function calls limit has been exceeded
message_box: Displays a message
test_check_service: Starts services
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay