Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
103s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
14/09/2022, 14:57
Static task
static1
General
-
Target
d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe
-
Size
1.8MB
-
MD5
d9dbbd5e28fd0377c8794750634b50fb
-
SHA1
145583a7625b936af249b89dfce9d09ba9a8677b
-
SHA256
d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8
-
SHA512
c474fb36b36ad111b731e2a3d2d6f98a311bfa9dd4effe7224f25247f749f4f9b786bba5498c500be70ff64b6e398615dfe97d73bcd532df68a53432b53b76d7
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
pid Process 1776 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2960 d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe 2960 d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe 1776 oobeldr.exe 1776 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4948 schtasks.exe 5036 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2960 d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe 2960 d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe 2960 d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe 2960 d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe 1776 oobeldr.exe 1776 oobeldr.exe 1776 oobeldr.exe 1776 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2960 wrote to memory of 4948 2960 d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe 66 PID 2960 wrote to memory of 4948 2960 d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe 66 PID 2960 wrote to memory of 4948 2960 d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe 66 PID 1776 wrote to memory of 5036 1776 oobeldr.exe 69 PID 1776 wrote to memory of 5036 1776 oobeldr.exe 69 PID 1776 wrote to memory of 5036 1776 oobeldr.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe"C:\Users\Admin\AppData\Local\Temp\d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:4948
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:5036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5d9dbbd5e28fd0377c8794750634b50fb
SHA1145583a7625b936af249b89dfce9d09ba9a8677b
SHA256d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8
SHA512c474fb36b36ad111b731e2a3d2d6f98a311bfa9dd4effe7224f25247f749f4f9b786bba5498c500be70ff64b6e398615dfe97d73bcd532df68a53432b53b76d7
-
Filesize
1.8MB
MD5d9dbbd5e28fd0377c8794750634b50fb
SHA1145583a7625b936af249b89dfce9d09ba9a8677b
SHA256d3800f1215047099c01eda94a1ae2d2eea37021ed98ef8f13a36aee17e2e8cb8
SHA512c474fb36b36ad111b731e2a3d2d6f98a311bfa9dd4effe7224f25247f749f4f9b786bba5498c500be70ff64b6e398615dfe97d73bcd532df68a53432b53b76d7