Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 06:09
Static task
static1
General
-
Target
e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe
-
Size
1.8MB
-
MD5
9b762b0ea252b82ee11df2921771fd91
-
SHA1
bbf190ba9bf0a1293b01eb3954c1d12e1f4b8d80
-
SHA256
e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317
-
SHA512
e751708db840fd2af0485259c54ef60663ee33a915bdb325368143a81a322ac9485535803a29d6ff24bc04a1f5eb1b2286b1a65984f94f029d44b2bbff3bca2f
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 2004 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exeoobeldr.exepid process 3036 e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe 3036 e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe 2004 oobeldr.exe 2004 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4968 schtasks.exe 4228 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exeoobeldr.exepid process 3036 e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe 3036 e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe 3036 e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe 3036 e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe 2004 oobeldr.exe 2004 oobeldr.exe 2004 oobeldr.exe 2004 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exeoobeldr.exedescription pid process target process PID 3036 wrote to memory of 4968 3036 e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe schtasks.exe PID 3036 wrote to memory of 4968 3036 e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe schtasks.exe PID 3036 wrote to memory of 4968 3036 e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe schtasks.exe PID 2004 wrote to memory of 4228 2004 oobeldr.exe schtasks.exe PID 2004 wrote to memory of 4228 2004 oobeldr.exe schtasks.exe PID 2004 wrote to memory of 4228 2004 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe"C:\Users\Admin\AppData\Local\Temp\e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD59b762b0ea252b82ee11df2921771fd91
SHA1bbf190ba9bf0a1293b01eb3954c1d12e1f4b8d80
SHA256e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317
SHA512e751708db840fd2af0485259c54ef60663ee33a915bdb325368143a81a322ac9485535803a29d6ff24bc04a1f5eb1b2286b1a65984f94f029d44b2bbff3bca2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD59b762b0ea252b82ee11df2921771fd91
SHA1bbf190ba9bf0a1293b01eb3954c1d12e1f4b8d80
SHA256e028458918f6865dd696b457557343f32b8987f439daaf2dd9930a4eb9c05317
SHA512e751708db840fd2af0485259c54ef60663ee33a915bdb325368143a81a322ac9485535803a29d6ff24bc04a1f5eb1b2286b1a65984f94f029d44b2bbff3bca2f
-
memory/2004-158-0x0000000000830000-0x0000000000B4F000-memory.dmpFilesize
3.1MB
-
memory/2004-157-0x00000000027A0000-0x00000000027E4000-memory.dmpFilesize
272KB
-
memory/2004-156-0x0000000000830000-0x0000000000B4F000-memory.dmpFilesize
3.1MB
-
memory/2004-155-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/2004-153-0x0000000000831000-0x0000000000833000-memory.dmpFilesize
8KB
-
memory/2004-152-0x0000000000830000-0x0000000000B4F000-memory.dmpFilesize
3.1MB
-
memory/2004-149-0x00000000027A0000-0x00000000027E4000-memory.dmpFilesize
272KB
-
memory/2004-150-0x0000000000830000-0x0000000000B4F000-memory.dmpFilesize
3.1MB
-
memory/2004-148-0x0000000000830000-0x0000000000B4F000-memory.dmpFilesize
3.1MB
-
memory/2004-147-0x0000000000830000-0x0000000000B4F000-memory.dmpFilesize
3.1MB
-
memory/3036-138-0x0000000000511000-0x0000000000513000-memory.dmpFilesize
8KB
-
memory/3036-136-0x0000000000510000-0x000000000082F000-memory.dmpFilesize
3.1MB
-
memory/3036-143-0x0000000002C80000-0x0000000002CC4000-memory.dmpFilesize
272KB
-
memory/3036-142-0x0000000000510000-0x000000000082F000-memory.dmpFilesize
3.1MB
-
memory/3036-133-0x0000000000510000-0x000000000082F000-memory.dmpFilesize
3.1MB
-
memory/3036-140-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/3036-139-0x0000000000510000-0x000000000082F000-memory.dmpFilesize
3.1MB
-
memory/3036-132-0x0000000000510000-0x000000000082F000-memory.dmpFilesize
3.1MB
-
memory/3036-137-0x0000000000511000-0x0000000000513000-memory.dmpFilesize
8KB
-
memory/3036-134-0x0000000002C80000-0x0000000002CC4000-memory.dmpFilesize
272KB
-
memory/3036-144-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/3036-135-0x0000000000510000-0x000000000082F000-memory.dmpFilesize
3.1MB
-
memory/4228-154-0x0000000000000000-mapping.dmp
-
memory/4968-141-0x0000000000000000-mapping.dmp