Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 05:26
Static task
static1
General
-
Target
a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe
-
Size
1.8MB
-
MD5
cd2e137d82bce4970a5dca9084ca0e9c
-
SHA1
a06d093fe43bfffc0f6308d5aa24baa478430b0b
-
SHA256
a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a
-
SHA512
35331eb4c4e3e8fec941b0ef06a31e9e84d0534c56ded85c6cf65a8c8f096a686acb2b04260059e72669bdb32d2ffd510b2c3cfb3a368f177d3709c80d51da14
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 1424 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe -
Processes:
a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exeoobeldr.exepid process 4232 a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe 4232 a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe 1424 oobeldr.exe 1424 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4072 schtasks.exe 2484 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exeoobeldr.exepid process 4232 a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe 4232 a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe 4232 a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe 4232 a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe 1424 oobeldr.exe 1424 oobeldr.exe 1424 oobeldr.exe 1424 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exeoobeldr.exedescription pid process target process PID 4232 wrote to memory of 2484 4232 a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe schtasks.exe PID 4232 wrote to memory of 2484 4232 a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe schtasks.exe PID 4232 wrote to memory of 2484 4232 a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe schtasks.exe PID 1424 wrote to memory of 4072 1424 oobeldr.exe schtasks.exe PID 1424 wrote to memory of 4072 1424 oobeldr.exe schtasks.exe PID 1424 wrote to memory of 4072 1424 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe"C:\Users\Admin\AppData\Local\Temp\a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5cd2e137d82bce4970a5dca9084ca0e9c
SHA1a06d093fe43bfffc0f6308d5aa24baa478430b0b
SHA256a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a
SHA51235331eb4c4e3e8fec941b0ef06a31e9e84d0534c56ded85c6cf65a8c8f096a686acb2b04260059e72669bdb32d2ffd510b2c3cfb3a368f177d3709c80d51da14
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5cd2e137d82bce4970a5dca9084ca0e9c
SHA1a06d093fe43bfffc0f6308d5aa24baa478430b0b
SHA256a8ec0f183b387ea059bde91897135ea0c26cfdad82d8c353aee4d6613cf6149a
SHA51235331eb4c4e3e8fec941b0ef06a31e9e84d0534c56ded85c6cf65a8c8f096a686acb2b04260059e72669bdb32d2ffd510b2c3cfb3a368f177d3709c80d51da14
-
memory/1424-148-0x00000000004E0000-0x00000000007FF000-memory.dmpFilesize
3.1MB
-
memory/1424-154-0x00000000004E0000-0x00000000007FF000-memory.dmpFilesize
3.1MB
-
memory/1424-153-0x00000000777A0000-0x0000000077943000-memory.dmpFilesize
1.6MB
-
memory/1424-152-0x00000000004E0000-0x00000000007FF000-memory.dmpFilesize
3.1MB
-
memory/1424-150-0x00000000004E1000-0x00000000004E3000-memory.dmpFilesize
8KB
-
memory/1424-155-0x00000000015D0000-0x0000000001614000-memory.dmpFilesize
272KB
-
memory/1424-147-0x00000000015D0000-0x0000000001614000-memory.dmpFilesize
272KB
-
memory/1424-146-0x00000000004E0000-0x00000000007FF000-memory.dmpFilesize
3.1MB
-
memory/1424-156-0x00000000004E0000-0x00000000007FF000-memory.dmpFilesize
3.1MB
-
memory/2484-137-0x0000000000000000-mapping.dmp
-
memory/4072-151-0x0000000000000000-mapping.dmp
-
memory/4232-136-0x00000000002E1000-0x00000000002E3000-memory.dmpFilesize
8KB
-
memory/4232-142-0x00000000777A0000-0x0000000077943000-memory.dmpFilesize
1.6MB
-
memory/4232-141-0x0000000002AF0000-0x0000000002B34000-memory.dmpFilesize
272KB
-
memory/4232-140-0x00000000002E0000-0x00000000005FF000-memory.dmpFilesize
3.1MB
-
memory/4232-139-0x00000000777A0000-0x0000000077943000-memory.dmpFilesize
1.6MB
-
memory/4232-138-0x00000000002E0000-0x00000000005FF000-memory.dmpFilesize
3.1MB
-
memory/4232-130-0x00000000002E0000-0x00000000005FF000-memory.dmpFilesize
3.1MB
-
memory/4232-135-0x00000000002E1000-0x00000000002E3000-memory.dmpFilesize
8KB
-
memory/4232-134-0x00000000002E0000-0x00000000005FF000-memory.dmpFilesize
3.1MB
-
memory/4232-133-0x00000000002E0000-0x00000000005FF000-memory.dmpFilesize
3.1MB
-
memory/4232-132-0x0000000002AF0000-0x0000000002B34000-memory.dmpFilesize
272KB
-
memory/4232-131-0x00000000002E0000-0x00000000005FF000-memory.dmpFilesize
3.1MB