Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2022, 05:29
Static task
static1
General
-
Target
15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe
-
Size
1.8MB
-
MD5
ff3e23847d643783653d11a67e373450
-
SHA1
21967eefb0aec6ab12126823b6d11229e0b275ef
-
SHA256
15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372
-
SHA512
ec0f7ce52992758355fb8d4164913272e39751b173077b15f509c2f7529de58ed3411787d1284007580003de38500742bfbef50fd535697d1a311d9d2c88de29
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
pid Process 4604 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4404 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe 4404 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe 4604 oobeldr.exe 4604 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2620 schtasks.exe 1844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4404 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe 4404 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe 4404 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe 4404 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe 4604 oobeldr.exe 4604 oobeldr.exe 4604 oobeldr.exe 4604 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4404 wrote to memory of 2620 4404 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe 83 PID 4404 wrote to memory of 2620 4404 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe 83 PID 4404 wrote to memory of 2620 4404 15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe 83 PID 4604 wrote to memory of 1844 4604 oobeldr.exe 94 PID 4604 wrote to memory of 1844 4604 oobeldr.exe 94 PID 4604 wrote to memory of 1844 4604 oobeldr.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe"C:\Users\Admin\AppData\Local\Temp\15c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:2620
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:1844
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5ff3e23847d643783653d11a67e373450
SHA121967eefb0aec6ab12126823b6d11229e0b275ef
SHA25615c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372
SHA512ec0f7ce52992758355fb8d4164913272e39751b173077b15f509c2f7529de58ed3411787d1284007580003de38500742bfbef50fd535697d1a311d9d2c88de29
-
Filesize
1.8MB
MD5ff3e23847d643783653d11a67e373450
SHA121967eefb0aec6ab12126823b6d11229e0b275ef
SHA25615c22a6eb5b034932db4293f4e6a407302a75d762204c01d18ceab351f349372
SHA512ec0f7ce52992758355fb8d4164913272e39751b173077b15f509c2f7529de58ed3411787d1284007580003de38500742bfbef50fd535697d1a311d9d2c88de29