Managed XDR

vtdl_1746805605_o6jpxtr0 — malware analysis report

File info

Filename
vtdl_1746805605_o6jpxtr0
File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Title: , Author: .., Template: sorry.ik, Last Saved By: Windows, Revision Number: 9, Name of Creating Application: Microsoft Office Word, Total Editing Time: 57:00, Last Printed: Thu Sep 22 13:01:00 2022, Create Time/Date: Thu Oct 20 05:45:00 2022, Last Saved Time/Date: Tue Nov 29 08:46:00 2022, Number of Pages: 11, Number of Words: 11266, Number of Characters: 6422, Security: 0
File size
181 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
9e26cca22828c5185380170f993ef12aad405824
SHA256
f0b76c1118485bd48685a9d06f091190b39f306d0b1d3669d34e6b0ac86f370b
MD5
ebf358fcd8628fa92ce19257742752ae

Signatures

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1221 office_attached_template: Office file attempts to download a suspicious template from the Internet
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
T1102.003 references_google: Contains links to cloud services of Google (potentially for malicious payload delivery)

Other

yara_rules: Static rules
dns_without_resolve: DNS query without a response
office_suspicious_data: Office file contains suspicious data
create_rpc_bindings: Creates RPC connection
pdf_compressed_stream: Contains an object with compressed stream
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
office_links: Office file contains external links
antisandbox_check_graphics_card: Uses CreateDXGIFactory, potentially to detect graphics card