Analysis
-
max time kernel
57s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
12/09/2022, 18:14
Static task
static1
General
-
Target
56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe
-
Size
1.8MB
-
MD5
22233f47caa27a3c587b8493084ee33b
-
SHA1
1328363d227d4902044eb5e266d32e6c93b5621c
-
SHA256
56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c
-
SHA512
bfd0c8ba89e1dd32652f48a814f00417f294271d8c10b57407c93c9dcf97fc66541d8b8e5327e11be4d898ac2ad6a45ef4614454494fb58e20c0e74e7b9aa700
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
pid Process 4936 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4528 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe 4528 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe 4936 oobeldr.exe 4936 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5036 schtasks.exe 3216 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4528 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe 4528 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe 4528 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe 4528 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe 4936 oobeldr.exe 4936 oobeldr.exe 4936 oobeldr.exe 4936 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4528 wrote to memory of 5036 4528 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe 66 PID 4528 wrote to memory of 5036 4528 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe 66 PID 4528 wrote to memory of 5036 4528 56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe 66 PID 4936 wrote to memory of 3216 4936 oobeldr.exe 69 PID 4936 wrote to memory of 3216 4936 oobeldr.exe 69 PID 4936 wrote to memory of 3216 4936 oobeldr.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe"C:\Users\Admin\AppData\Local\Temp\56185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:5036
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:3216
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD522233f47caa27a3c587b8493084ee33b
SHA11328363d227d4902044eb5e266d32e6c93b5621c
SHA25656185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c
SHA512bfd0c8ba89e1dd32652f48a814f00417f294271d8c10b57407c93c9dcf97fc66541d8b8e5327e11be4d898ac2ad6a45ef4614454494fb58e20c0e74e7b9aa700
-
Filesize
1.8MB
MD522233f47caa27a3c587b8493084ee33b
SHA11328363d227d4902044eb5e266d32e6c93b5621c
SHA25656185d7a87aa3556a27838d6053c3a3678864dc9fd955276d977c03b9fc53b7c
SHA512bfd0c8ba89e1dd32652f48a814f00417f294271d8c10b57407c93c9dcf97fc66541d8b8e5327e11be4d898ac2ad6a45ef4614454494fb58e20c0e74e7b9aa700