bitrat | f5fbd66fa754b518289e512f61ed872924ff06f80ec48dc08bd270b179d783cd

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	d345138f48b7d610e4f7d280504a5a36.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	d345138f48b7d610e4f7d280504a5a36.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d345138f48b7d610e4f7d280504a5a36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d345138f48b7d610e4f7d280504a5a36.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-15-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-20-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-23-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-25-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-22-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-16-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-33-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-30-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-36-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-38-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-45-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d345138f48b7d610e4f7d280504a5a36.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d345138f48b7d610e4f7d280504a5a36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2528	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe
"C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:2220
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NWKQwZWIgp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe
  "C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe"
  2⤵
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

T1082

Virtualization/Sandbox Evasion