bitrat | f5fbd66fa754b518289e512f61ed872924ff06f80ec48dc08bd270b179d783cd

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	d345138f48b7d610e4f7d280504a5a36.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	d345138f48b7d610e4f7d280504a5a36.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d345138f48b7d610e4f7d280504a5a36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d345138f48b7d610e4f7d280504a5a36.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	d345138f48b7d610e4f7d280504a5a36.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1132-19-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-22-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-25-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-23-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-26-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-28-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-29-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-30-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-32-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-33-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-36-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-43-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-52-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-53-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1132-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d345138f48b7d610e4f7d280504a5a36.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d345138f48b7d610e4f7d280504a5a36.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1132	d345138f48b7d610e4f7d280504a5a36.exe
1132	d345138f48b7d610e4f7d280504a5a36.exe
1132	d345138f48b7d610e4f7d280504a5a36.exe
1132	d345138f48b7d610e4f7d280504a5a36.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 1132	4464	d345138f48b7d610e4f7d280504a5a36.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
680	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1132	d345138f48b7d610e4f7d280504a5a36.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1132	d345138f48b7d610e4f7d280504a5a36.exe
1132	d345138f48b7d610e4f7d280504a5a36.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 680	4464	d345138f48b7d610e4f7d280504a5a36.exe	109
PID 4464 wrote to memory of 680	4464	d345138f48b7d610e4f7d280504a5a36.exe	109
PID 4464 wrote to memory of 680	4464	d345138f48b7d610e4f7d280504a5a36.exe	109
PID 4464 wrote to memory of 1132	4464	d345138f48b7d610e4f7d280504a5a36.exe	111
PID 4464 wrote to memory of 1132	4464	d345138f48b7d610e4f7d280504a5a36.exe	111
PID 4464 wrote to memory of 1132	4464	d345138f48b7d610e4f7d280504a5a36.exe	111
PID 4464 wrote to memory of 1132	4464	d345138f48b7d610e4f7d280504a5a36.exe	111
PID 4464 wrote to memory of 1132	4464	d345138f48b7d610e4f7d280504a5a36.exe	111
PID 4464 wrote to memory of 1132	4464	d345138f48b7d610e4f7d280504a5a36.exe	111
PID 4464 wrote to memory of 1132	4464	d345138f48b7d610e4f7d280504a5a36.exe	111

C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe
"C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NWKQwZWIgp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A26.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:680
- C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe
  "C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion