Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
74s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
18/09/2022, 22:47
Static task
static1
General
-
Target
ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe
-
Size
1.8MB
-
MD5
8a04966531e93843ce8b35fd58964b21
-
SHA1
a3a0b3151214d3df93eb9e6cf25620bf3d134943
-
SHA256
ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415
-
SHA512
acf0c645cb7ace3db4921216689945f0043774daf1c1ced25a6167dd9bcf762d4df28acdafcbcfbb4aa347b2cc0d3341d2df4d3bccb18682e1dae0df766a977b
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
pid Process 4288 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4788 ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe 4788 ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe 4288 oobeldr.exe 4288 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4920 schtasks.exe 4972 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4788 ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe 4788 ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe 4788 ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe 4788 ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe 4288 oobeldr.exe 4288 oobeldr.exe 4288 oobeldr.exe 4288 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4788 wrote to memory of 4920 4788 ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe 66 PID 4788 wrote to memory of 4920 4788 ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe 66 PID 4788 wrote to memory of 4920 4788 ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe 66 PID 4288 wrote to memory of 4972 4288 oobeldr.exe 69 PID 4288 wrote to memory of 4972 4288 oobeldr.exe 69 PID 4288 wrote to memory of 4972 4288 oobeldr.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe"C:\Users\Admin\AppData\Local\Temp\ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:4920
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:4972
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD58a04966531e93843ce8b35fd58964b21
SHA1a3a0b3151214d3df93eb9e6cf25620bf3d134943
SHA256ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415
SHA512acf0c645cb7ace3db4921216689945f0043774daf1c1ced25a6167dd9bcf762d4df28acdafcbcfbb4aa347b2cc0d3341d2df4d3bccb18682e1dae0df766a977b
-
Filesize
1.8MB
MD58a04966531e93843ce8b35fd58964b21
SHA1a3a0b3151214d3df93eb9e6cf25620bf3d134943
SHA256ba19584a7fb91f89a4bf864b77477e108c2329816ea50eb635ee8138eadad415
SHA512acf0c645cb7ace3db4921216689945f0043774daf1c1ced25a6167dd9bcf762d4df28acdafcbcfbb4aa347b2cc0d3341d2df4d3bccb18682e1dae0df766a977b