a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd707a0357b19ea6953d47900bb051e3.exe
Size

9.0MB
MD5

bd707a0357b19ea6953d47900bb051e3
SHA1

8beefca61bdb6d8086bd6f3e16d86eab575138a2
SHA256

979c2c3e2496830b8778123e349c9b00168ffef73fbc0f7e53ff110147f9be6c
SHA512

4e458c7b4e6ca8e77c783ea92ca511816fed9b7525c0805982b0350e7713210afcc11e6004005200192172ab65ab2eb115a5eba4f60e448bfea1d38cf9bbf718
SSDEEP

196608:jxSZrxSZExSZfU+2at3DS7sJav43YmOZdqUJ9quict4zvv0uP:jxSZrxSZExSZfU+2aJDSgJnmqukY4zHN

Score

9^/10

defense_evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	bd707a0357b19ea6953d47900bb051e3.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	bd707a0357b19ea6953d47900bb051e3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bd707a0357b19ea6953d47900bb051e3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bd707a0357b19ea6953d47900bb051e3.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	bd707a0357b19ea6953d47900bb051e3.exe

Loads dropped DLL 1 IoCs

pid	Process
2408	cmd.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	bd707a0357b19ea6953d47900bb051e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bd707a0357b19ea6953d47900bb051e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2084	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2916	bd707a0357b19ea6953d47900bb051e3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	bd707a0357b19ea6953d47900bb051e3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2408	2916	bd707a0357b19ea6953d47900bb051e3.exe	29
PID 2916 wrote to memory of 2408	2916	bd707a0357b19ea6953d47900bb051e3.exe	29
PID 2916 wrote to memory of 2408	2916	bd707a0357b19ea6953d47900bb051e3.exe	29
PID 2408 wrote to memory of 2084	2408	cmd.exe	31
PID 2408 wrote to memory of 2084	2408	cmd.exe	31
PID 2408 wrote to memory of 2084	2408	cmd.exe	31
PID 2408 wrote to memory of 2244	2408	cmd.exe	32
PID 2408 wrote to memory of 2244	2408	cmd.exe	32
PID 2408 wrote to memory of 2244	2408	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe
"C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2084
- - C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe
    "C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe" relaunch
    3⤵
    - Executes dropped EXE
    PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe.bat

Filesize
399B

MD5
18f7e01be92f7674eb444b559e1e0696

SHA1
f5eeb0adc69bddebadab8928f13a54fd13fe5c86

SHA256
ee7d2a9beaf743a23e22d7d0442389ed861e6100e8409085aab6979e5acb21c9

SHA512
55ec9320d26282b2646a3e84a365876a5a1b6db70d5ebbbf0d69daf597b41093020e09d7db8663b50333be50ae87542c55b6c96aba635e8a6c40e1ce60a9d3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe.tmp

Filesize
9.2MB

MD5
c24ff340e48d178d624057668f394940

SHA1
8527e0b22692f1c0b2cc75e523138b99ca3ea5c5

SHA256
0e1dcc12b1109ce83894fcaa99e62cb16475169566a4079c6582ba4f4ff0214c

SHA512
fb7960aad36f3d68780771ef85a68af8093ca4789737e1de11627b08936fc3121b2652df2e0b587fb85fe5daa18d50a8484993cd249ac088f2d0f5ff9579498f

Download Submit
memory/2244-28-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-27-0x000007FEF4B93000-0x000007FEF4B94000-memory.dmp

Filesize
4KB

Download
memory/2244-26-0x0000000000160000-0x0000000000174000-memory.dmp

Filesize
80KB

Download
memory/2244-25-0x000007FEF4B90000-0x000007FEF557C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-24-0x0000000000170000-0x0000000000880000-memory.dmp

Filesize
7.1MB

Download
memory/2916-4-0x0000000000660000-0x0000000000674000-memory.dmp

Filesize
80KB

Download
memory/2916-8-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-7-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-11-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-20-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-6-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-5-0x000000001CE50000-0x000000001D226000-memory.dmp

Filesize
3.8MB

Download
memory/2916-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

Filesize
4KB

Download
memory/2916-3-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-2-0x000000001C000000-0x000000001C14E000-memory.dmp

Filesize
1.3MB

Download
memory/2916-1-0x0000000001230000-0x0000000001940000-memory.dmp

Filesize
7.1MB

Download