58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7

General

Target

58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
Size

1.8MB
MD5

77438fd907d264838d6b440897c9f603
SHA1

35be322aa574bce7f33cf3e2de0b73d11dfd25d9
SHA256

58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7
SHA512

3a9bbbd61cc25bfc46020215ded7284f9bba4986c6ca197aba5423854450b172f8843a1412633963e0ff3e931699491956d58e1cc0070480740189005db41aa3
SSDEEP

49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oobeldr.exe

Executes dropped EXE 1 IoCs

pid	Process
4712	oobeldr.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oobeldr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oobeldr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oobeldr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1096	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
1096	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
4712	oobeldr.exe
4712	oobeldr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4860	schtasks.exe
3916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1096	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
1096	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
1096	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
1096	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
4712	oobeldr.exe
4712	oobeldr.exe
4712	oobeldr.exe
4712	oobeldr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 4860	1096	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe	86
PID 1096 wrote to memory of 4860	1096	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe	86
PID 1096 wrote to memory of 4860	1096	58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe	86
PID 4712 wrote to memory of 3916	4712	oobeldr.exe	95
PID 4712 wrote to memory of 3916	4712	oobeldr.exe	95
PID 4712 wrote to memory of 3916	4712	oobeldr.exe	95

C:\Users\Admin\AppData\Local\Temp\58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe
"C:\Users\Admin\AppData\Local\Temp\58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4860

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
77438fd907d264838d6b440897c9f603

SHA1
35be322aa574bce7f33cf3e2de0b73d11dfd25d9

SHA256
58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7

SHA512
3a9bbbd61cc25bfc46020215ded7284f9bba4986c6ca197aba5423854450b172f8843a1412633963e0ff3e931699491956d58e1cc0070480740189005db41aa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
77438fd907d264838d6b440897c9f603

SHA1
35be322aa574bce7f33cf3e2de0b73d11dfd25d9

SHA256
58284ef4212ed5cd4d7d15f9773432342e95fa9f5e7e7dddb45c3d4cd5e18bb7

SHA512
3a9bbbd61cc25bfc46020215ded7284f9bba4986c6ca197aba5423854450b172f8843a1412633963e0ff3e931699491956d58e1cc0070480740189005db41aa3

Download Submit
memory/1096-138-0x00000000008A0000-0x0000000000BBF000-memory.dmp

Filesize
3.1MB

Download
memory/1096-133-0x00000000008A0000-0x0000000000BBF000-memory.dmp

Filesize
3.1MB

Download
memory/1096-136-0x00000000008A0000-0x0000000000BBF000-memory.dmp

Filesize
3.1MB

Download
memory/1096-137-0x00000000008A0000-0x0000000000BBF000-memory.dmp

Filesize
3.1MB

Download
memory/1096-132-0x00000000008A0000-0x0000000000BBF000-memory.dmp

Filesize
3.1MB

Download
memory/1096-139-0x00000000776F0000-0x0000000077893000-memory.dmp

Filesize
1.6MB

Download
memory/1096-140-0x00000000008A1000-0x00000000008A3000-memory.dmp

Filesize
8KB

Download
memory/1096-143-0x00000000776F0000-0x0000000077893000-memory.dmp

Filesize
1.6MB

Download
memory/1096-142-0x00000000008A0000-0x0000000000BBF000-memory.dmp

Filesize
3.1MB

Download
memory/1096-134-0x00000000008A1000-0x00000000008A3000-memory.dmp

Filesize
8KB

Download
memory/1096-135-0x0000000001030000-0x0000000001074000-memory.dmp

Filesize
272KB

Download
memory/4712-146-0x0000000000070000-0x000000000038F000-memory.dmp

Filesize
3.1MB

Download
memory/4712-147-0x00000000008B0000-0x00000000008F4000-memory.dmp

Filesize
272KB

Download
memory/4712-148-0x0000000000070000-0x000000000038F000-memory.dmp

Filesize
3.1MB

Download
memory/4712-150-0x0000000000071000-0x0000000000073000-memory.dmp

Filesize
8KB

Download
memory/4712-152-0x0000000000070000-0x000000000038F000-memory.dmp

Filesize
3.1MB

Download
memory/4712-153-0x00000000776F0000-0x0000000077893000-memory.dmp

Filesize
1.6MB

Download
memory/4712-154-0x0000000000070000-0x000000000038F000-memory.dmp

Filesize
3.1MB

Download
memory/4712-155-0x00000000008B0000-0x00000000008F4000-memory.dmp

Filesize
272KB

Download
memory/4712-156-0x0000000000070000-0x000000000038F000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads