Managed XDR

vtdl_1782474572_owx12ylz — malware analysis report

File info

Filename: vtdl_1782474572_owx12ylz
File type: RFC 822 mail, ASCII text, with CRLF line terminators
File size: 14.3 KB
First seen: 2026-06-26 12:15
Last seen: 2026-06-26 12:15

Environment

w10/x64 en

Hashes

SHA1: e29a7e5c1431f1568e3ac2474f1e66bf3edede17
SHA256: e248b3bc52d911ff7fc8949eed574b2d1048ad34f7c11f45ef0780969923d91c
MD5: 0557999e34c8def78bb6dcc847631162

Signatures

Execution

T1059.007 bad_js: Suspicious Javascript file

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1497.001 antivm_network_adapters: Checks NIC addresses

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1480 system_default_lang_id_present: Checks the system language

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1057 process_interest: Enumerates processes

T1497.001 antivm_network_adapters: Checks NIC addresses

T1082 fingerprint_to_file: Collects data about system and user and writes it to a text file

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1016 get_hostname: Attempts to get hostname

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

hides_autorun_taskmanager: Hides application autorun record from Task Manager

network_bind: Starts servers listening at None

creates_exe: Creates executable files in the file system

executes_dropped_exe: Executes dropped exe files

create_rpc_bindings: Creates RPC connection

creates_suspended_process: Creates suspended process

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

pe_overlay: PE file contains overlay

js_suspicious: Suspicious javascript

yara_rules: Static rules

static_big_overlay: Executable file contains an enormously big overlay

valid_authenticode: The digital signature has been verified