Analysis
-
max time kernel
55s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 06:15
Static task
static1
General
-
Target
e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe
-
Size
1.8MB
-
MD5
f073355c0b651cab68bf79cb2920916b
-
SHA1
5a2b4be347837b8190461a660dd6b5f065738e1b
-
SHA256
e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf
-
SHA512
d2a7f97df3f6edc95a3fa3e373cc87479832a773fb9206655f76604f87b476433f34e7b31503d636e83b26afa06628eab8639fb8da372b1f2dc8c78334d309db
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 4348 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exeoobeldr.exepid process 960 e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe 960 e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe 4348 oobeldr.exe 4348 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exeoobeldr.exepid process 960 e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe 960 e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe 960 e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe 960 e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe 4348 oobeldr.exe 4348 oobeldr.exe 4348 oobeldr.exe 4348 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exeoobeldr.exedescription pid process target process PID 960 wrote to memory of 2412 960 e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe schtasks.exe PID 960 wrote to memory of 2412 960 e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe schtasks.exe PID 960 wrote to memory of 2412 960 e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe schtasks.exe PID 4348 wrote to memory of 740 4348 oobeldr.exe schtasks.exe PID 4348 wrote to memory of 740 4348 oobeldr.exe schtasks.exe PID 4348 wrote to memory of 740 4348 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe"C:\Users\Admin\AppData\Local\Temp\e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5f073355c0b651cab68bf79cb2920916b
SHA15a2b4be347837b8190461a660dd6b5f065738e1b
SHA256e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf
SHA512d2a7f97df3f6edc95a3fa3e373cc87479832a773fb9206655f76604f87b476433f34e7b31503d636e83b26afa06628eab8639fb8da372b1f2dc8c78334d309db
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5f073355c0b651cab68bf79cb2920916b
SHA15a2b4be347837b8190461a660dd6b5f065738e1b
SHA256e95eeb59c137e73ae308b3e00792e3e2565819dcfce0747156a5ba71fdf126cf
SHA512d2a7f97df3f6edc95a3fa3e373cc87479832a773fb9206655f76604f87b476433f34e7b31503d636e83b26afa06628eab8639fb8da372b1f2dc8c78334d309db
-
memory/740-147-0x0000000000000000-mapping.dmp
-
memory/960-137-0x00000000009C1000-0x00000000009C3000-memory.dmpFilesize
8KB
-
memory/960-134-0x0000000002D20000-0x0000000002D64000-memory.dmpFilesize
272KB
-
memory/960-132-0x00000000009C0000-0x0000000000CDF000-memory.dmpFilesize
3.1MB
-
memory/960-139-0x00000000009C0000-0x0000000000CDF000-memory.dmpFilesize
3.1MB
-
memory/960-140-0x0000000002D20000-0x0000000002D64000-memory.dmpFilesize
272KB
-
memory/960-141-0x0000000077190000-0x0000000077333000-memory.dmpFilesize
1.6MB
-
memory/960-135-0x00000000009C0000-0x0000000000CDF000-memory.dmpFilesize
3.1MB
-
memory/960-133-0x00000000009C0000-0x0000000000CDF000-memory.dmpFilesize
3.1MB
-
memory/960-136-0x00000000009C1000-0x00000000009C3000-memory.dmpFilesize
8KB
-
memory/2412-138-0x0000000000000000-mapping.dmp
-
memory/4348-144-0x0000000000490000-0x00000000007AF000-memory.dmpFilesize
3.1MB
-
memory/4348-146-0x0000000000491000-0x0000000000493000-memory.dmpFilesize
8KB
-
memory/4348-148-0x0000000000490000-0x00000000007AF000-memory.dmpFilesize
3.1MB
-
memory/4348-149-0x00000000012C0000-0x0000000001304000-memory.dmpFilesize
272KB
-
memory/4348-150-0x0000000000490000-0x00000000007AF000-memory.dmpFilesize
3.1MB
-
memory/4348-151-0x0000000077190000-0x0000000077333000-memory.dmpFilesize
1.6MB
-
memory/4348-152-0x0000000000490000-0x00000000007AF000-memory.dmpFilesize
3.1MB
-
memory/4348-153-0x00000000012C0000-0x0000000001304000-memory.dmpFilesize
272KB