1801c0278583e34f09b0a202c83afbc6f2bb97ab0acb2932057a25e5eba597a6

General

Target

Bawless Windows Cracked By Vidhayakji786.rar
Size

102.1MB
MD5

99a1d2a905676cf0542c2a4d45e58d46
SHA1

35fac87f8ca98865b6dee79023fb1c55cb925f0d
SHA256

1801c0278583e34f09b0a202c83afbc6f2bb97ab0acb2932057a25e5eba597a6
SHA512

3b1027101ef2d18a83aabd399c5ae3432b30f9ce541635ed35d1708864c55f94054b013e1c19e5b681838698067c8d6d722c3f9cf4c8b74c5c4ea8be40da8737
SSDEEP

3145728:lp5yB7PXOvhxn3VGFEWDE6YorqEU+vhI9C:lpIB7PevhVVGbw5oex9C

Score

9^/10

discovery evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	Bawless RAT Cracked By vidhayakji786.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	Bawless RAT Cracked By vidhayakji786.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bawless RAT Cracked By vidhayakji786.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bawless RAT Cracked By vidhayakji786.exe

Executes dropped EXE 1 IoCs

pid	Process
1716	Bawless RAT Cracked By vidhayakji786.exe

Loads dropped DLL 5 IoCs

pid	Process
2016	WerFault.exe
2016	WerFault.exe
2016	WerFault.exe
2016	WerFault.exe
2016	WerFault.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Bawless RAT Cracked By vidhayakji786.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Bawless RAT Cracked By vidhayakji786.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2016	1716	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bawless RAT Cracked By vidhayakji786.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2420	7zFM.exe
Token: 35	2420	7zFM.exe
Token: SeSecurityPrivilege	2420	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2420	7zFM.exe
2420	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2016	1716	Bawless RAT Cracked By vidhayakji786.exe	34
PID 1716 wrote to memory of 2016	1716	Bawless RAT Cracked By vidhayakji786.exe	34
PID 1716 wrote to memory of 2016	1716	Bawless RAT Cracked By vidhayakji786.exe	34
PID 1716 wrote to memory of 2016	1716	Bawless RAT Cracked By vidhayakji786.exe	34

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Bawless Windows Cracked By Vidhayakji786.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2420

C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe
"C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 824
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE479D0AE6\Bawless Windows Cracked By Vidhayakji786\Logs\Ookii.Dialogs.dll

Filesize
126KB

MD5
c43d1d849935bd82fc577155dba84af0

SHA1
edc34ad456dc57979078b62373bf865e694a9666

SHA256
3e09f4104fc86a3ec4d6a600269d99c78485fa8b00726b19c7abf7a27eedbce1

SHA512
8a40199d220f55b28e13398472af12dbaca926603c778750c6a645ae92a9aea73b9f3b00e016ec81793420fa29f146b33f86dd6676652a55ce6d1eb61824c04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE479D0AE6\Bawless Windows Cracked By Vidhayakji786\Logs\ProgressControls(4).dll

Filesize
12KB

MD5
c57a6c026cd6ea2870b83a423e6de4eb

SHA1
4177bd227f4bed55c7715091c7117f210650343d

SHA256
86d3053ad9366fef9ada575c9a4898ee5ac62067f1fa4c5914831f26b4dc9642

SHA512
86bcfa9a1f3dfe2356f1589f01873a4ca09e262e881dd97ec0028cd674332e0b9ab4129716e7bd4b810fccb59608e067e5ab56783e63e0b222f4821581073063

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE479D0AE6\Bawless Windows Cracked By Vidhayakji786\Logs\vdump_03BF22DC.dll

Filesize
12KB

MD5
0658acea2f429d6bd5f75eccb8149ab1

SHA1
94924ab49ac27a33d40d465ede34391f64e3cecb

SHA256
70ef00516d8eb2d0650fbbba61f4edb785939e90c9d52a315f29b48f2c625e9d

SHA512
71e920d50343399cb39d29d9ec51ebf33bfbd0cf28663740220979b2974c047b1a1c47d431f04b2df0a6139b162463a1542b3d12c94691c1988cedd4ed67fe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE479D0AE6\Bawless Windows Cracked By Vidhayakji786\Logs\vdump_0C7869D8.dll

Filesize
126KB

MD5
33d7c1072648f75e50b99ed7b68afe44

SHA1
9fe80ddaf34a93eac09d76816d5b2051626dbe02

SHA256
05a6a9ddc257ea82ec112db8a01eac70cadc7828e985c1cea4757b3b4c1f437b

SHA512
86a9b32395738fba5ab6417497a79d933256e73b03d33627f886309513bfb6e968c10b8c536c95ba4f98f9bb1df7142bbb37cbdcfdcf5c6ffbf64cc27d340227

Download Submit
C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe

Filesize
14.7MB

MD5
7e228fdc2c17c3ef4ee02fcec4a4df7f

SHA1
a5112a8cf9e6dac6bb7ad6767c9979600f581a7b

SHA256
bd1ee9c456e4c08c4c8f184a8cb680b88dc444e231c855c850a4df2a9cb3aeb9

SHA512
3f1871a01d097a241d7533819b51099870888607fb8a4b51b669357fedafc197f6dc2551328e7f920a3a245e6bec183e460865dc20240d9d54ff4936cbc29eb4

Download Submit
memory/1716-570-0x0000000001280000-0x000000000213A000-memory.dmp

Filesize
14.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads