Managed XDR

vtdl_1770790442_fjfi3ucl — malware analysis report

File info

Filename
vtdl_1770790442_fjfi3ucl
File type
PE32 executable (GUI) Intel 80386, for MS Windows
File size
552.5 KB
First seen
Last seen

Environment

win7/x64 en

Hashes

SHA1
b5d7dd82a2a4336af966fae951ac3631bc046b3e
SHA256
0a661d5e633b2a4a9baf3d203b0b1ce0ef0f149b9d4dce3d0f5c7d3d78715041
MD5
24cd5ca084c03c90bc812cbc4f8ae7be

Signatures

Execution

T1059.003 cmd_ping_del: Uses cmd.exe for pausing and deletion of the original file
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1070.004 deletes_self: Moves to different location or removes the original executable file
T1070.004 cmd_ping_del: Uses cmd.exe for pausing and deletion of the original file
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1574.011 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1480 system_default_lang_id_present: Checks the system language
T1070 stealth_window: A process created a hidden window
T1070.004 self_removal_command: Executes command to delete itself

Discovery

T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1082 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1016.001 system_network_configuration_discovery: System network configuration discovery detected
T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1135 server_share_info: Retrieves information about each shared resource on a server
T1082 reads_csrss: Attempts to read csrss.exe memory

Other

creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
create_rpc_bindings: Creates RPC connection
break_limit_exceeded: Warning: function calls limit has been exceeded
message_box: Displays a message
origin_langid: Unconventional language of the executable file
yara_rules: Static rules
Managed XDR