Analysis
-
max time kernel
63s -
max time network
58s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
18/09/2022, 03:57
Static task
static1
General
-
Target
8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe
-
Size
1.8MB
-
MD5
28e76a525b336bc00477f45ca0bfb937
-
SHA1
3d712c4706c25f0cc5744804fa0afb85959246be
-
SHA256
8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988
-
SHA512
831fda618b747fe2c9b915b9ef59615d5828d5c64cf92f2180c8a34bd917b6c00be58a47154a809f8408ed2320d1127c7cb57bc81ff25eddfcd5bd92d840d73f
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
pid Process 4660 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 3068 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe 3068 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe 4660 oobeldr.exe 4660 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4564 schtasks.exe 1732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3068 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe 3068 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe 3068 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe 3068 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe 4660 oobeldr.exe 4660 oobeldr.exe 4660 oobeldr.exe 4660 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3068 wrote to memory of 4564 3068 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe 66 PID 3068 wrote to memory of 4564 3068 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe 66 PID 3068 wrote to memory of 4564 3068 8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe 66 PID 4660 wrote to memory of 1732 4660 oobeldr.exe 69 PID 4660 wrote to memory of 1732 4660 oobeldr.exe 69 PID 4660 wrote to memory of 1732 4660 oobeldr.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe"C:\Users\Admin\AppData\Local\Temp\8e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:4564
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:1732
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD528e76a525b336bc00477f45ca0bfb937
SHA13d712c4706c25f0cc5744804fa0afb85959246be
SHA2568e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988
SHA512831fda618b747fe2c9b915b9ef59615d5828d5c64cf92f2180c8a34bd917b6c00be58a47154a809f8408ed2320d1127c7cb57bc81ff25eddfcd5bd92d840d73f
-
Filesize
1.8MB
MD528e76a525b336bc00477f45ca0bfb937
SHA13d712c4706c25f0cc5744804fa0afb85959246be
SHA2568e1db3c9c699d27974146256bf1621084a69568acec2246fdb37d68789c4b988
SHA512831fda618b747fe2c9b915b9ef59615d5828d5c64cf92f2180c8a34bd917b6c00be58a47154a809f8408ed2320d1127c7cb57bc81ff25eddfcd5bd92d840d73f