Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Bawless Wi...86.rar

windows7-x64

9

Bawless Wi...86.rar

windows10-2004-x64

10

Bawless Wi...86.rar

windows10-ltsc 2021-x64

9

Bawless Wi...86.rar

windows11-21h2-x64

1

Analysis

  • max time kernel
    1799s
  • max time network
    1407s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    14/12/2024, 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bawless Windows Cracked By Vidhayakji786.rar

  • Size

    102.1MB

  • MD5

    99a1d2a905676cf0542c2a4d45e58d46

  • SHA1

    35fac87f8ca98865b6dee79023fb1c55cb925f0d

  • SHA256

    1801c0278583e34f09b0a202c83afbc6f2bb97ab0acb2932057a25e5eba597a6

  • SHA512

    3b1027101ef2d18a83aabd399c5ae3432b30f9ce541635ed35d1708864c55f94054b013e1c19e5b681838698067c8d6d722c3f9cf4c8b74c5c4ea8be40da8737

  • SSDEEP

    3145728:lp5yB7PXOvhxn3VGFEWDE6YorqEU+vhI9C:lpIB7PevhVVGbw5oex9C

Score
9/10
discoveryevasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Bawless Windows Cracked By Vidhayakji786.rar"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3280
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3676
    • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe
      "C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4800
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:3248
      • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe
        "C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe"
        1⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:4760

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless_RAT_Cracked_By_vi_Url_lqx5whgxrp3qiuvkfqhhw0xynuenadmn\1.0.0.0\user.config
          Filesize

          323B

          MD5

          f9386d27234e43fe47b6795942a7a8ff

          SHA1

          4191f495d7abac1cdac478ce50fddbbbfebe723e

          SHA256

          b546a456ef0590f41e1c61682380b4997e9d0b7216b3092bf598c14dd2b128bf

          SHA512

          96b9aedbe5bc6c7cf7317eb05ac355ae2caed8480425b31012e0c95f62f02db65c6412f10596d187d880a98572cf43e2f5cd70b73f6074efb21af78e834ec498

          Download Submit

        • C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless_RAT_Cracked_By_vi_Url_lqx5whgxrp3qiuvkfqhhw0xynuenadmn\1.0.0.0\user.config
          Filesize

          443B

          MD5

          e638c22bea6f9e94ff8a7fd911b116b3

          SHA1

          af544cf8769ddb610290010c01f7c242857ae558

          SHA256

          250571b222424f8f70bc7264b918d14705de15323bd2266286374735bd66a2c8

          SHA512

          715f68cfc2cf2aebb9be455598b1046389484d41d31c3f78f138ec33bfc9a6010b903db5c3eac8eb6d54a887eb7d2a571b396232efcca688d9ad834efe9d70f2

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bawless RAT Cracked By vidhayakji786.exe.log
          Filesize

          1KB

          MD5

          065d12ad48da4f4b2294dae36fd242a0

          SHA1

          da3802f57a2751e58691f8eda8407ff12c806731

          SHA256

          86568fffba8fd1f51f71fa0a72a3768b0ee9e90e417e952ffa8aac56c228b32f

          SHA512

          3a01a0e266307dd04d96c5ddcc56f6419855f54c6afad54a4c3d511d9bd9a88b3a0822c478d7ff195ab59605b557d796facb28ac6dc35df5c63cab17765c4a1a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zE0DC1F81A\Bawless Windows Cracked By Vidhayakji786\Logs\Ookii.Dialogs.dll
          Filesize

          126KB

          MD5

          c43d1d849935bd82fc577155dba84af0

          SHA1

          edc34ad456dc57979078b62373bf865e694a9666

          SHA256

          3e09f4104fc86a3ec4d6a600269d99c78485fa8b00726b19c7abf7a27eedbce1

          SHA512

          8a40199d220f55b28e13398472af12dbaca926603c778750c6a645ae92a9aea73b9f3b00e016ec81793420fa29f146b33f86dd6676652a55ce6d1eb61824c04a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zE0DC1F81A\Bawless Windows Cracked By Vidhayakji786\Logs\ProgressControls(4).dll
          Filesize

          12KB

          MD5

          c57a6c026cd6ea2870b83a423e6de4eb

          SHA1

          4177bd227f4bed55c7715091c7117f210650343d

          SHA256

          86d3053ad9366fef9ada575c9a4898ee5ac62067f1fa4c5914831f26b4dc9642

          SHA512

          86bcfa9a1f3dfe2356f1589f01873a4ca09e262e881dd97ec0028cd674332e0b9ab4129716e7bd4b810fccb59608e067e5ab56783e63e0b222f4821581073063

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zE0DC1F81A\Bawless Windows Cracked By Vidhayakji786\Logs\vdump_03BF22DC.dll
          Filesize

          12KB

          MD5

          0658acea2f429d6bd5f75eccb8149ab1

          SHA1

          94924ab49ac27a33d40d465ede34391f64e3cecb

          SHA256

          70ef00516d8eb2d0650fbbba61f4edb785939e90c9d52a315f29b48f2c625e9d

          SHA512

          71e920d50343399cb39d29d9ec51ebf33bfbd0cf28663740220979b2974c047b1a1c47d431f04b2df0a6139b162463a1542b3d12c94691c1988cedd4ed67fe21

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7zE0DC1F81A\Bawless Windows Cracked By Vidhayakji786\Logs\vdump_0C7869D8.dll
          Filesize

          126KB

          MD5

          33d7c1072648f75e50b99ed7b68afe44

          SHA1

          9fe80ddaf34a93eac09d76816d5b2051626dbe02

          SHA256

          05a6a9ddc257ea82ec112db8a01eac70cadc7828e985c1cea4757b3b4c1f437b

          SHA512

          86a9b32395738fba5ab6417497a79d933256e73b03d33627f886309513bfb6e968c10b8c536c95ba4f98f9bb1df7142bbb37cbdcfdcf5c6ffbf64cc27d340227

          Download Submit

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe
          Filesize

          14.7MB

          MD5

          7e228fdc2c17c3ef4ee02fcec4a4df7f

          SHA1

          a5112a8cf9e6dac6bb7ad6767c9979600f581a7b

          SHA256

          bd1ee9c456e4c08c4c8f184a8cb680b88dc444e231c855c850a4df2a9cb3aeb9

          SHA512

          3f1871a01d097a241d7533819b51099870888607fb8a4b51b669357fedafc197f6dc2551328e7f920a3a245e6bec183e460865dc20240d9d54ff4936cbc29eb4

          Download Submit

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe.config
          Filesize

          3KB

          MD5

          7256166cbe820cf4b580ea75e30e1b0c

          SHA1

          60cbe96a43e827f4c110ea4ce9e1519d30a35625

          SHA256

          f35535c7c7b47ec67f2250aba3176455d700e1c3cb108d6c078863e278cd0dc6

          SHA512

          dfc3270104c602df33f5885ffb3c3d77fa8770ac1c84ee5717d2e11e52fc426f7d7e654c4f612c3facab46e8685d88d7ff923fca44b0c984b4317757eba6e2ad

          Download Submit

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Guna.UI2.dll
          Filesize

          1.9MB

          MD5

          c1789e4cf0b77749e0bef8f984f9cd6d

          SHA1

          cdf9d3f1c45bf294380d59846ae26b9da8a65725

          SHA256

          d590f05dc6980e4681243e68bda05b7da7952d75d4aa34963c1535f79c8fc060

          SHA512

          e51e76476d5c46d467bbf92a25471e6525a8ea58a4cca7ee305b295b396cb53650169665979eac0ed9bebb38c74d62c03e2f3b29b70eb6eafaf9ba474fea33ca

          Download Submit

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\ServerCertificate.p12
          Filesize

          1KB

          MD5

          b025a65a61c6e8967637c346f6687f14

          SHA1

          b4a8ae31eb5518edc1b91079b966168f6af69202

          SHA256

          dae1407390b2fa60074fe872ab49d9f0669fdfb6996660fb2145ee8b198cba94

          SHA512

          54660d68e6c9d6e3fe5890977787c8396fed7744994255461ade1742d25aae226864b558658a0fedd749af4d94a85d16c21c2d7a006dc96c5ef362dd27908617

          Download Submit

        • C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\cGeoIp.dll
          Filesize

          2.3MB

          MD5

          6d6e172e7965d1250a4a6f8a0513aa9f

          SHA1

          b0fd4f64e837f48682874251c93258ee2cbcad2b

          SHA256

          d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

          SHA512

          35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

          Download Submit

        • memory/2856-612-0x0000000006240000-0x00000000062A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4800-577-0x00000000749A0000-0x0000000075151000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4800-581-0x000000000AC90000-0x000000000AEE2000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/4800-582-0x0000000005440000-0x000000000544A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4800-576-0x00000000749AE000-0x00000000749AF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4800-586-0x000000000C480000-0x000000000C676000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4800-588-0x00000000749A0000-0x0000000075151000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4800-575-0x0000000007D60000-0x0000000007DF2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4800-574-0x00000000749A0000-0x0000000075151000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4800-573-0x0000000006CF0000-0x0000000006D56000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4800-572-0x0000000007210000-0x00000000077B6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4800-571-0x0000000000200000-0x00000000010BA000-memory.dmp

          Filesize

          14.7MB

          Download

        • memory/4800-570-0x00000000749AE000-0x00000000749AF000-memory.dmp

          Filesize

          4KB

          Download