{ "id": "963ab6f3-603e-4caa-80aa-3c3a9a82bc5a", "created_at": "2026-04-07T02:20:16.961238Z", "updated_at": "2026-04-10T03:37:50.6339Z", "deleted_at": null, "sha1_hash": "7ae5c5753ae2a6997a3be9cbf6015c6b5f07943f", "title": "Investigating the use of VHD files by cybercriminals", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43459, "plain_text": "Investigating the use of VHD files by cybercriminals\r\nBy Christiaan Beek\r\nPublished: 2020-12-03 · Archived: 2026-04-07 02:02:13 UTC\r\nInvestigating the use of VHD files by cybercriminals\r\nIn recent investigations, I observed an adversary making use of a VHD attachment to a spear-phishing email being\r\nsent. VHD files are ‘Virtual Hard-Disk’ files. Originally the file format was introduced with Connectix Virtual PC\r\nand it can store the contents of a hard disk drive. Windows 7 and newer systems include the ability to manually\r\nmount VHD files. From Windows 8 and onwards, a user can mount a VHD by simply double-clicking on the file.\r\nOnce mounted, a VHD disk image appears to Windows as a normal hard disk physically connected to the system.\r\nWhy would an adversary use a VHD file? To launch a document. Starting from Microsoft Office 10, when a\r\ndocument is tagged as “Mark of the Web” (MotW), the file will be opened in Protected view. (Mark of the Web is\r\na technology used by MS to tag files with the Internet Security zone info from where they originated). In\r\nWindows 10, the SmartScreen technology will block files that are downloaded from the Internet from being\r\nexecuted.\r\nThe interesting thing with a VHD file is that files inside will not carry the MotW tag and can be executed without\r\nhaving to deal with the restrictions that belong to such files. That makes it attractive for adversaries to attempt\r\nusing this technique.\r\nIn our case we have a VHD file that contains two files:\r\nImage for post\r\ncontent of the VHD file\r\nAs I observe, two files are in the VHD, including a PDF document that, once opened, will launch the executable\r\nfile. Analysis reveals that the executable is a trojan belonging to the Sednit family, often used by the Turla group. I\r\nwill not go into details on the malware analysis since I want to focus more on the VHD file format and forensics.\r\n$MFT\r\nSince this is a sort of hard disk with a filesystem, there are several approaches to investigate it from a forensic\r\nperspective. Mounting the disk, I can carve for deleted files or extract files like the Master-File-Table (MFT) to\r\ninspect the file behaviors and interactions on the disk.\r\nOnce I have extracted the MFT, I can start to extract the information and put the output in a CSV format.\r\nImage for post\r\nMFT analysis of VHD\r\nhttps://web.archive.org/web/20201203131725/https://christiaanbeek.medium.com/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316\r\nPage 1 of 3\n\nIn the above screenshot, I showcase a small part of the data. There are, from a forensic and incident-response \u0026\r\nintelligence perspective, a few interesting things to observe. The files I discussed are copied and I can see the\r\ncreation date and modification date. The VHD volume seems to have been created on October 21, 2020, while the\r\nfiles appear to have been copied and modified around November 10 and 11, 2020. Secondly, I observe the SIDs\r\nthat were used. The Security Identifier in this case indicates a specific domain user.\r\nS-1–5–21–635164469–325223577–1075005921–1001\r\nS — Indicates it is a SID string.\r\n1 — The version of the SID structure. Windows NT and later starts with 1.\r\n5 — Identifier Authority. 5 = NT Authority.\r\n21–635164469–325223577–1075005921– Domain identifier.\r\n1001 — RID. Identifies the particular account or group.\r\nMore Details About the VHD?\r\nMounting the VHD file in a VM, I launched Windows PowerShell ISE in admin mode and installed the module\r\n‘PowerForensics’\r\nUsing this module, the filesystem can be queried for several types of information. In my screenshot below I firstly\r\nqueried for the presence of deleted files and secondly the volume information:\r\nImage for post\r\nExample of PowerForensics output\r\nThe BytesPerCluster value, for example, is interesting if you discover a deleted file and want to restore it\r\nmanually from the disk.\r\nMany commands in the module are very useful for my inspection:\r\nImage for post\r\nVolume Name\r\nFooter analysis of VHD file\r\nDigging deeper into the file-system and specifics, I discovered this explanation of the footer structure of a VHD\r\nfile. The specification was written by Joachim Metz who I had the privilege to work with and learned a lot from\r\nwith regards to filesystem forensics. Using the table of the footer and our VHD’s footer information, let’s see if we\r\ncan discover more.\r\nImage for post\r\nFooter of VHD file\r\nhttps://web.archive.org/web/20201203131725/https://christiaanbeek.medium.com/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316\r\nPage 2 of 3\n\nThe first 8 bytes are the signature (cookie), with the value of ‘conectix’, an indicator this is a vhd file. The next 4\r\nbytes describe which features are enabled. In this case, I observe the value 0x00000002 which translates to\r\n“reserved”. The 8 bytes with value 0xFFFFFFFFFFFFFFFF indicate that this is a fixed disk.\r\nThe next 4 bytes are the format version followed by 8 bytes of the next offset. The next 4 bytes in this footer have\r\nthe value of 0x27227A65 — this is the number of seconds since January 1, 2000, and points to the modification\r\ntime. In this case “656570981 seconds”, which is the modification time of “2020–10–22 04:49:41 UTC”\r\nThe next 4 bytes are indicating the ‘Creator Application’ used to create the VHD file. In this case, this is the value\r\n“zewin”. I am not currently aware of an application that this value refers to. There are multiple tools that can\r\ncreate VHD files.\r\nSkipping the creator version, I look at the 4 bytes that identify the creator’s operating system. Here it has the value\r\n“wi2k” which refers to Microsoft Windows.\r\nThe disk-size value in bytes is 12582912 bytes (0x0000000000c00000), aka 12.58 Megabytes.\r\nFlipping a few more bytes I go to the section that indicates the disk type. In this case, the value is 0x00000002,\r\nindicating it is a ‘fixed hard disk’.\r\nThe last bit I look at is the 16 bytes that contain a big Endian GUID value, in this case,”6D CA 9A 42 A4 6E 55\r\nDA C8 F7 96 DB”.\r\nSummary\r\nAdversaries will always look for new techniques to bypass security controls. Where we as an industry mostly stop\r\nour investigations with malicious files, it can be worth digging deeper with a forensics mindset to find more\r\ninformation about the actor and then adding the discovered information to the profile.\r\nSource: https://web.archive.org/web/20201203131725/https://christiaanbeek.medium.com/investigating-the-use-of-vhd-files-by-cybercriminals\r\n-3f1f08304316\r\nhttps://web.archive.org/web/20201203131725/https://christiaanbeek.medium.com/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20201203131725/https://christiaanbeek.medium.com/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316" ], "report_names": [ "investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775528416, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7ae5c5753ae2a6997a3be9cbf6015c6b5f07943f.pdf", "text": "https://archive.orkl.eu/7ae5c5753ae2a6997a3be9cbf6015c6b5f07943f.txt", "img": "https://archive.orkl.eu/7ae5c5753ae2a6997a3be9cbf6015c6b5f07943f.jpg" } }