ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	4b5d342b8c5a5b19fac86b1315802786.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	4b5d342b8c5a5b19fac86b1315802786.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4b5d342b8c5a5b19fac86b1315802786.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4b5d342b8c5a5b19fac86b1315802786.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	4b5d342b8c5a5b19fac86b1315802786.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	4b5d342b8c5a5b19fac86b1315802786.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	4b5d342b8c5a5b19fac86b1315802786.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4616	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5496	4b5d342b8c5a5b19fac86b1315802786.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5496	4b5d342b8c5a5b19fac86b1315802786.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5496 wrote to memory of 4456	5496	4b5d342b8c5a5b19fac86b1315802786.exe	88
PID 5496 wrote to memory of 4456	5496	4b5d342b8c5a5b19fac86b1315802786.exe	88
PID 4456 wrote to memory of 4616	4456	cmd.exe	90
PID 4456 wrote to memory of 4616	4456	cmd.exe	90
PID 4456 wrote to memory of 4796	4456	cmd.exe	91
PID 4456 wrote to memory of 4796	4456	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\4b5d342b8c5a5b19fac86b1315802786.exe
"C:\Users\Admin\AppData\Local\Temp\4b5d342b8c5a5b19fac86b1315802786.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4b5d342b8c5a5b19fac86b1315802786.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4616
- - C:\Users\Admin\AppData\Local\Temp\4b5d342b8c5a5b19fac86b1315802786.exe
    "C:\Users\Admin\AppData\Local\Temp\4b5d342b8c5a5b19fac86b1315802786.exe" relaunch
    3⤵
    PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion