Managed XDR

vtdl_1752067131_oswo29q9 — malware analysis report

File info

Filename
vtdl_1752067131_oswo29q9
File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Template: counteract.fmp, Last Saved By: user, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Last Printed: Sat May 31 14:26:00 2025, Create Time/Date: Sat May 31 14:16:00 2025, Last Saved Time/Date: Sat May 31 14:26:00 2025, Number of Pages: 12, Number of Words: 10373, Number of Characters: 5914, Security: 0
File size
582.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
b7af12727fed6c90d41b4e6a97728e1474580a16
SHA256
80e591790c414888da0f74a88371833c3aebd7970642452563896475a05e4ef0
MD5
92838bb82a282eb04ec1a76ca80d2ec5

Signatures

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1221 office_attached_template: Office file attempts to download a suspicious template from the Internet
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules
dns_without_resolve: DNS query without a response
office_suspicious_data: Office file contains suspicious data
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card