Managed XDR

vtdl_1782713885_7bups646 — malware analysis report

File info

Filename
vtdl_1782713885_7bups646
File type
PE32+ executable (console) x86-64, for MS Windows
File size
42.5 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
6ba383f87847ef42a3634edff34e9cb283b84647
SHA256
4f5930c32f6efe8cedfac0f14a942876353befea497a4c5e767fda49ec9fb0b7
MD5
795249c529f4fc9751ce8fc9f0edfe65

Signatures

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1070 stealth_window: A process created a hidden window

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1082 has_wmi: Executes one or several WMI requests
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Other

yara_rules: Static rules
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded