Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
64s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
16/09/2022, 15:44
Static task
static1
General
-
Target
bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe
-
Size
1.8MB
-
MD5
f813d9cdf5016e184ade31151f810776
-
SHA1
5f056a2b81e856aac5af16cd1bfe0b0ed33fafdf
-
SHA256
bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537
-
SHA512
138aa91fe51abf40f3cfcfeaa948a955a6874494a43e828f45640af16aaf485eec99b8b034d589b602e2c9a98f7e1b0b46e01a692ef7a4747e218258c0bfc031
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
pid Process 1496 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4748 bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe 4748 bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe 1496 oobeldr.exe 1496 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2824 schtasks.exe 2192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4748 bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe 4748 bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe 4748 bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe 4748 bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe 1496 oobeldr.exe 1496 oobeldr.exe 1496 oobeldr.exe 1496 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4748 wrote to memory of 2824 4748 bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe 67 PID 4748 wrote to memory of 2824 4748 bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe 67 PID 4748 wrote to memory of 2824 4748 bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe 67 PID 1496 wrote to memory of 2192 1496 oobeldr.exe 70 PID 1496 wrote to memory of 2192 1496 oobeldr.exe 70 PID 1496 wrote to memory of 2192 1496 oobeldr.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe"C:\Users\Admin\AppData\Local\Temp\bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:2824
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:2192
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5f813d9cdf5016e184ade31151f810776
SHA15f056a2b81e856aac5af16cd1bfe0b0ed33fafdf
SHA256bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537
SHA512138aa91fe51abf40f3cfcfeaa948a955a6874494a43e828f45640af16aaf485eec99b8b034d589b602e2c9a98f7e1b0b46e01a692ef7a4747e218258c0bfc031
-
Filesize
1.8MB
MD5f813d9cdf5016e184ade31151f810776
SHA15f056a2b81e856aac5af16cd1bfe0b0ed33fafdf
SHA256bb2d18cc2e0f840e562a30b57360c6f0a701475ba1ae783759f58117f269e537
SHA512138aa91fe51abf40f3cfcfeaa948a955a6874494a43e828f45640af16aaf485eec99b8b034d589b602e2c9a98f7e1b0b46e01a692ef7a4747e218258c0bfc031