Managed XDR

vtdl_1766017147_02kfmsuz (RMS) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: vtdl_1766017147_02kfmsuz
Тип файла: PE32 executable (GUI) Intel 80386, for MS Windows
Размер файла: 12.3 MB
Первое обнаружение: 2025-12-22 15:13
Последнее обнаружение: 2025-12-22 15:13

Окружение

w10/x64 en

Хеши

SHA1: 63dadd6217d946a36c557960ea14c6d461e11b21
SHA256: 3d503d2b57d373afc1a792f0a3aafbbba55d0cfb62532ec305d8dfd7196c8b18
MD5: 7a588e5ad398acb4c488b08c72e2add2

Вредоносное ПО

Сигнатуры

Privilege Escalation

T1068 integrity_level: Process privileges have been escalated

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antisandbox_productid: Obtains Windows ProductID, probably to fingerprint a sandbox

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antisandbox_productid: Obtains Windows ProductID, probably to fingerprint a sandbox

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 antidbg_strings: Checks for malware analysis tools (specific strings found)

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Other

yara_rules: Static rules

rms_lms_bins: Listens on port 5650 used by RMS\LiteManager

network_bind: Starts servers listening at 0.0.0.0:5650, None

process_crashed: One of the processes has failed

unexpected_exception: Unexpected exception

create_rpc_bindings: Creates RPC connection

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

pe_overlay: PE file contains overlay

open_winlogon_process: Trying to open winlogon process