a40626fbe1122175c403f8510e1f6ad41cee213a87ce8252305e32e5071a170a

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	bd707a0357b19ea6953d47900bb051e3.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	bd707a0357b19ea6953d47900bb051e3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bd707a0357b19ea6953d47900bb051e3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bd707a0357b19ea6953d47900bb051e3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	bd707a0357b19ea6953d47900bb051e3.exe

Executes dropped EXE 1 IoCs

pid	Process
4784	bd707a0357b19ea6953d47900bb051e3.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bd707a0357b19ea6953d47900bb051e3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bd707a0357b19ea6953d47900bb051e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
6136	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1560	bd707a0357b19ea6953d47900bb051e3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	bd707a0357b19ea6953d47900bb051e3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4512	1560	bd707a0357b19ea6953d47900bb051e3.exe	88
PID 1560 wrote to memory of 4512	1560	bd707a0357b19ea6953d47900bb051e3.exe	88
PID 4512 wrote to memory of 6136	4512	cmd.exe	90
PID 4512 wrote to memory of 6136	4512	cmd.exe	90
PID 4512 wrote to memory of 4784	4512	cmd.exe	91
PID 4512 wrote to memory of 4784	4512	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe
"C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6136
- - C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe
    "C:\Users\Admin\AppData\Local\Temp\bd707a0357b19ea6953d47900bb051e3.exe" relaunch
    3⤵
    - Executes dropped EXE
    PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion