Analysis
-
max time kernel
78s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 05:19
Static task
static1
General
-
Target
b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe
-
Size
1.8MB
-
MD5
f58b6b797c23a456405c71f40b411499
-
SHA1
5886a152dd8e90bfd8339e3a5042e6f8206f0017
-
SHA256
b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b
-
SHA512
d789f5ee6696a634bfec8a26a027c57c013fc50f6cb661c4c56ebfe558d48dd2b11315c60d755fa129d754bf08319861f6195091ff1f64661afe26eb53a7a19b
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 384 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exeoobeldr.exepid process 2344 b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe 2344 b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe 384 oobeldr.exe 384 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4352 schtasks.exe 4424 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exeoobeldr.exepid process 2344 b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe 2344 b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe 2344 b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe 2344 b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe 384 oobeldr.exe 384 oobeldr.exe 384 oobeldr.exe 384 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exeoobeldr.exedescription pid process target process PID 2344 wrote to memory of 4352 2344 b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe schtasks.exe PID 2344 wrote to memory of 4352 2344 b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe schtasks.exe PID 2344 wrote to memory of 4352 2344 b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe schtasks.exe PID 384 wrote to memory of 4424 384 oobeldr.exe schtasks.exe PID 384 wrote to memory of 4424 384 oobeldr.exe schtasks.exe PID 384 wrote to memory of 4424 384 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe"C:\Users\Admin\AppData\Local\Temp\b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5f58b6b797c23a456405c71f40b411499
SHA15886a152dd8e90bfd8339e3a5042e6f8206f0017
SHA256b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b
SHA512d789f5ee6696a634bfec8a26a027c57c013fc50f6cb661c4c56ebfe558d48dd2b11315c60d755fa129d754bf08319861f6195091ff1f64661afe26eb53a7a19b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5f58b6b797c23a456405c71f40b411499
SHA15886a152dd8e90bfd8339e3a5042e6f8206f0017
SHA256b4b7b1b95b9bb1815f102bbbdc23f77b0664280d14f55a16eb5bc4652fba903b
SHA512d789f5ee6696a634bfec8a26a027c57c013fc50f6cb661c4c56ebfe558d48dd2b11315c60d755fa129d754bf08319861f6195091ff1f64661afe26eb53a7a19b
-
memory/384-156-0x0000000000FB0000-0x00000000012CF000-memory.dmpFilesize
3.1MB
-
memory/384-145-0x0000000001370000-0x00000000013B4000-memory.dmpFilesize
272KB
-
memory/384-153-0x0000000000FB0000-0x00000000012CF000-memory.dmpFilesize
3.1MB
-
memory/384-152-0x0000000077A80000-0x0000000077C23000-memory.dmpFilesize
1.6MB
-
memory/384-151-0x0000000000FB0000-0x00000000012CF000-memory.dmpFilesize
3.1MB
-
memory/384-149-0x0000000000FB1000-0x0000000000FB3000-memory.dmpFilesize
8KB
-
memory/384-155-0x0000000000FB0000-0x00000000012CF000-memory.dmpFilesize
3.1MB
-
memory/384-147-0x0000000000FB0000-0x00000000012CF000-memory.dmpFilesize
3.1MB
-
memory/384-144-0x0000000000FB0000-0x00000000012CF000-memory.dmpFilesize
3.1MB
-
memory/384-146-0x0000000000FB0000-0x00000000012CF000-memory.dmpFilesize
3.1MB
-
memory/384-154-0x0000000001370000-0x00000000013B4000-memory.dmpFilesize
272KB
-
memory/2344-133-0x0000000000901000-0x0000000000903000-memory.dmpFilesize
8KB
-
memory/2344-140-0x0000000000900000-0x0000000000C1F000-memory.dmpFilesize
3.1MB
-
memory/2344-136-0x0000000000900000-0x0000000000C1F000-memory.dmpFilesize
3.1MB
-
memory/2344-131-0x0000000000900000-0x0000000000C1F000-memory.dmpFilesize
3.1MB
-
memory/2344-139-0x0000000077A80000-0x0000000077C23000-memory.dmpFilesize
1.6MB
-
memory/2344-132-0x0000000000D20000-0x0000000000D64000-memory.dmpFilesize
272KB
-
memory/2344-137-0x0000000000900000-0x0000000000C1F000-memory.dmpFilesize
3.1MB
-
memory/2344-141-0x0000000077A80000-0x0000000077C23000-memory.dmpFilesize
1.6MB
-
memory/2344-135-0x0000000000901000-0x0000000000903000-memory.dmpFilesize
8KB
-
memory/2344-130-0x0000000000900000-0x0000000000C1F000-memory.dmpFilesize
3.1MB
-
memory/2344-134-0x0000000000900000-0x0000000000C1F000-memory.dmpFilesize
3.1MB
-
memory/4352-138-0x0000000000000000-mapping.dmp
-
memory/4424-150-0x0000000000000000-mapping.dmp