Managed XDR

vtdl_1762972226_za0jnd37 — malware analysis report

File info

Filename: vtdl_1762972226_za0jnd37
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 52 KB
First seen: 2025-11-12 18:42
Last seen: 2025-11-12 18:42

Environment

w10/x86 en

Hashes

SHA1: ed378ecfa212999203df1e45fd56eaa7e6b39d47
SHA256: 2f6eabce7627a5321188fc9105916aff511d29f58afa215b8968015b2953e8f7
MD5: 3b2cb009659afd5dca9946c213d39d30

Signatures

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

T1548.002 uac_bypass_diskcleanup: Bypassing Windows User Account Control (DiskCleanup method)

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1548.002 uac_bypass_diskcleanup: Bypassing Windows User Account Control (DiskCleanup method)

T1070 stealth_webhistory: Clears browsing history

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1027.002 pe_features: Executable file has PE anomalies (may be false positive)

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497.001 antivm_queries_computername: Retrieves the computer name

Credential Access

T1552 infostealer_mail: Collects personal data from local email clients

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)

T1057 process_interest: Enumerates processes

T1518 locates_browser: Attempts to identify where browsers are installed

T1497.001 antivm_queries_computername: Retrieves the computer name

Collection

T1114 infostealer_mail: Collects personal data from local email clients

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Impact

T1486 modifies_files2: Cryptolocker indicators detected (500 or more files are modified)

T1486 modifies_files: Cryptolocker indicators detected (renamed 500 or more files)

T1561 wiper_zeroed_bytes: Overwrites multiple files with zero bytes (hex 00)

T1565.001 overwrites_firefox_settings: Modifies Mozilla Firefox settings

Other

creates_exe: Creates executable files in the file system

copies_self: Creates a copy of itself

cryptolocker_wallpaper: Ransomware indicators detected (changes the desktop wallpaper file)

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

break_limit_exceeded: Warning: function calls limit has been exceeded

creates_in_programdata: Creates files in the ProgramData directory

test_check_service: Starts services

writes_data: Writes big amount of data to disk

Managed XDR