Analysis
-
max time kernel
84s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21-09-2022 05:35
General
-
Target
b4f86b0876a6eba0224f22c3a9d577e8b0b7ae971ffa32be339649e1e3361388.exe
-
Size
1.8MB
-
MD5
4430bf617587d1219eaf44b93785d51a
-
SHA1
eee1c97209dd2ff00214a981769971929cd5cd4a
-
SHA256
b4f86b0876a6eba0224f22c3a9d577e8b0b7ae971ffa32be339649e1e3361388
-
SHA512
382446c68daeff176e74dacbd18836dbd4988fac7ef3ddc4a7d5f0ae3142738035c7a86d2139203a8d8e9550699a292a183577077192987e13c33fe04350b791
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f86b0876a6eba0224f22c3a9d577e8b0b7ae971ffa32be339649e1e3361388.exe"C:\Users\Admin\AppData\Local\Temp\b4f86b0876a6eba0224f22c3a9d577e8b0b7ae971ffa32be339649e1e3361388.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD54430bf617587d1219eaf44b93785d51a
SHA1eee1c97209dd2ff00214a981769971929cd5cd4a
SHA256b4f86b0876a6eba0224f22c3a9d577e8b0b7ae971ffa32be339649e1e3361388
SHA512382446c68daeff176e74dacbd18836dbd4988fac7ef3ddc4a7d5f0ae3142738035c7a86d2139203a8d8e9550699a292a183577077192987e13c33fe04350b791
-
Filesize
1.8MB
MD54430bf617587d1219eaf44b93785d51a
SHA1eee1c97209dd2ff00214a981769971929cd5cd4a
SHA256b4f86b0876a6eba0224f22c3a9d577e8b0b7ae971ffa32be339649e1e3361388
SHA512382446c68daeff176e74dacbd18836dbd4988fac7ef3ddc4a7d5f0ae3142738035c7a86d2139203a8d8e9550699a292a183577077192987e13c33fe04350b791
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
272KB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
-
-
Filesize
8KB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
3.1MB