56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c

Analysis

max time kernel
57s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
12/09/2022, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
Size

1.8MB
MD5

22233f47caa27a3c587b8493084ee33b
SHA1

1328363d227d4902044eb5e266d32e6c93b5621c
SHA256

56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c
SHA512

bfd0c8ba89e1dd32652f48a814f00417f294271d8c10b57407c93c9dcf97fc66541d8b8e5327e11be4d898ac2ad6a45ef4614454494fb58e20c0e74e7b9aa700
SSDEEP

49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oobeldr.exe

Executes dropped EXE 1 IoCs

pid	Process
4936	oobeldr.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oobeldr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oobeldr.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oobeldr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4528	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
4528	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
4936	oobeldr.exe
4936	oobeldr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5036	schtasks.exe
3216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4528	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
4528	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
4528	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
4528	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
4936	oobeldr.exe
4936	oobeldr.exe
4936	oobeldr.exe
4936	oobeldr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 5036	4528	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe	66
PID 4528 wrote to memory of 5036	4528	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe	66
PID 4528 wrote to memory of 5036	4528	56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe	66
PID 4936 wrote to memory of 3216	4936	oobeldr.exe	69
PID 4936 wrote to memory of 3216	4936	oobeldr.exe	69
PID 4936 wrote to memory of 3216	4936	oobeldr.exe	69

C:\Users\Admin\AppData\Local\Temp\56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
"C:\Users\Admin\AppData\Local\Temp\56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:5036

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
22233f47caa27a3c587b8493084ee33b

SHA1
1328363d227d4902044eb5e266d32e6c93b5621c

SHA256
56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c

SHA512
bfd0c8ba89e1dd32652f48a814f00417f294271d8c10b57407c93c9dcf97fc66541d8b8e5327e11be4d898ac2ad6a45ef4614454494fb58e20c0e74e7b9aa700

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
22233f47caa27a3c587b8493084ee33b

SHA1
1328363d227d4902044eb5e266d32e6c93b5621c

SHA256
56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c

SHA512
bfd0c8ba89e1dd32652f48a814f00417f294271d8c10b57407c93c9dcf97fc66541d8b8e5327e11be4d898ac2ad6a45ef4614454494fb58e20c0e74e7b9aa700

Download Submit
memory/4528-158-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-152-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-123-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-125-0x00000000013A0000-0x00000000016BF000-memory.dmp

Filesize
3.1MB

Download
memory/4528-124-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-126-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-127-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-128-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-129-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-130-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-131-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-132-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-133-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-134-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-135-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-136-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-137-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-138-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-139-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-140-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-141-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-142-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-143-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-144-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-145-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-146-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-148-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-147-0x0000000001280000-0x00000000012C4000-memory.dmp

Filesize
272KB

Download
memory/4528-150-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-149-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-151-0x00000000013A0000-0x00000000016BF000-memory.dmp

Filesize
3.1MB

Download
memory/4528-160-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-153-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-154-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-155-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-156-0x00000000013A0000-0x00000000016BF000-memory.dmp

Filesize
3.1MB

Download
memory/4528-157-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-121-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-122-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-159-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-166-0x00000000013A1000-0x00000000013A3000-memory.dmp

Filesize
8KB

Download
memory/4528-162-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-163-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-164-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-165-0x00000000013A1000-0x00000000013A3000-memory.dmp

Filesize
8KB

Download
memory/4528-161-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-167-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-168-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4528-175-0x00000000013A0000-0x00000000016BF000-memory.dmp

Filesize
3.1MB

Download
memory/4528-189-0x00000000013A0000-0x00000000016BF000-memory.dmp

Filesize
3.1MB

Download
memory/4528-190-0x0000000001280000-0x00000000012C4000-memory.dmp

Filesize
272KB

Download
memory/4528-120-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-223-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/4936-260-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/4936-259-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/4936-258-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/4936-224-0x0000000000B00000-0x0000000000C4A000-memory.dmp

Filesize
1.3MB

Download
memory/4936-225-0x0000000000C70000-0x0000000000F8F000-memory.dmp

Filesize
3.1MB

Download
memory/5036-177-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-176-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-179-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-181-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-182-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-170-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-185-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-180-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-178-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-174-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-184-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-172-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-173-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-171-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-183-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-186-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-187-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download
memory/5036-188-0x0000000077530000-0x00000000776BE000-memory.dmp

Filesize
1.6MB

Download