Managed XDR

vtdl_1761563474__xx1oydu — malware analysis report

File info

Filename: vtdl_1761563474__xx1oydu
File type: CDFV2 Microsoft Outlook Message
File size: 96 KB
First seen: 2025-10-27 11:49
Last seen: 2025-10-27 11:49

Environment

w10/x64 en

Hashes

SHA1: 065c3cb3d0d76bcff0fcf4d5bfc7f12025411b55
SHA256: 291d00d61405e3dd73373fe31dcdcbde575ee6e4c0b9074be2ccf716985cbfe7
MD5: 1a39d4c062c9db141c539f9a0b1b9427

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1059 powershell_cmd_longcommandline: Suspiciously long commandline

T1059.001 suspicious_process: Spawns a suspicious process

T1059.003 suspicious_batch: Suspicious batch

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1027 many_env_vars: An extensive number of environment variables has been created (possible sign of obfuscation)

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1503 infostealer_browser: Retrieves personal information from local Internet browsers

T1552 infostealer_browser: Retrieves personal information from local Internet browsers

T1552 infostealer_mail: Collects personal data from local email clients

T1552 infostealer_ftp: Collects data from local FTP clients

T1552 cookie_files: Accesses cookie files

T1555.003 cookie_files: Accesses cookie files

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network

T1518.001 antiav_detectfile: Attempts to detect installed antiviruses by a certain directory

T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime

T1518 locates_browser: Attempts to identify where browsers are installed

Collection

T1114 infostealer_mail: Collects personal data from local email clients

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network

T1071.003 network_smtp: Sends emails, possibly SPAM

T1071.001 network_http: Performs HTTP requests

Other

suricata_alert: Malicious traffic detected

creates_exe: Creates executable files in the file system

ip_domains: Identifies an IP address using external resources

ps_ep_changed: Changes Powershell execution policy

network_powershell: Powershell process network connection detected

network_ftp: Performs FTP requests

creates_suspended_process: Creates suspended process

test_check_service: Starts services