Analysis
-
max time kernel
51s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
23-09-2022 06:37
Static task
static1
General
-
Target
bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe
-
Size
1.8MB
-
MD5
d2832c38a1142629de0f4e5cd7b1f050
-
SHA1
2f20498ab81d5eddef2a75cbe1391e0054bdeeb2
-
SHA256
bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0
-
SHA512
b31a6fdf040ff02714c81ed6ac2e80f50e345042d5dc8a01627de9162812faf18fa6fad42862d736c05f0e9185b9a3b6a539817aa385d30bbea6f60a6a2c3c63
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 4248 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
oobeldr.exebd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe -
Processes:
oobeldr.exebd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exeoobeldr.exepid process 2736 bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe 2736 bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe 4248 oobeldr.exe 4248 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4788 schtasks.exe 4316 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exeoobeldr.exepid process 2736 bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe 2736 bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe 2736 bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe 2736 bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe 4248 oobeldr.exe 4248 oobeldr.exe 4248 oobeldr.exe 4248 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exeoobeldr.exedescription pid process target process PID 2736 wrote to memory of 4788 2736 bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe schtasks.exe PID 2736 wrote to memory of 4788 2736 bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe schtasks.exe PID 2736 wrote to memory of 4788 2736 bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe schtasks.exe PID 4248 wrote to memory of 4316 4248 oobeldr.exe schtasks.exe PID 4248 wrote to memory of 4316 4248 oobeldr.exe schtasks.exe PID 4248 wrote to memory of 4316 4248 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe"C:\Users\Admin\AppData\Local\Temp\bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5d2832c38a1142629de0f4e5cd7b1f050
SHA12f20498ab81d5eddef2a75cbe1391e0054bdeeb2
SHA256bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0
SHA512b31a6fdf040ff02714c81ed6ac2e80f50e345042d5dc8a01627de9162812faf18fa6fad42862d736c05f0e9185b9a3b6a539817aa385d30bbea6f60a6a2c3c63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5d2832c38a1142629de0f4e5cd7b1f050
SHA12f20498ab81d5eddef2a75cbe1391e0054bdeeb2
SHA256bd421731e0cb22e95d9fdff58b461a19bd5904a0d571de063c323ba1cf0637b0
SHA512b31a6fdf040ff02714c81ed6ac2e80f50e345042d5dc8a01627de9162812faf18fa6fad42862d736c05f0e9185b9a3b6a539817aa385d30bbea6f60a6a2c3c63
-
memory/2736-153-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-149-0x00000000032A0000-0x00000000032E4000-memory.dmpFilesize
272KB
-
memory/2736-117-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-118-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-120-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-119-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-122-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-121-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-124-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-125-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-123-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-126-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-128-0x0000000000ED0000-0x00000000011EF000-memory.dmpFilesize
3.1MB
-
memory/2736-130-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-131-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-132-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-133-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-134-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-135-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-136-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-137-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-129-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-127-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-138-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-139-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-140-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-141-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-142-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-143-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-115-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-145-0x0000000000ED0000-0x00000000011EF000-memory.dmpFilesize
3.1MB
-
memory/2736-146-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-147-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-148-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-155-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-151-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-150-0x0000000000ED0000-0x00000000011EF000-memory.dmpFilesize
3.1MB
-
memory/2736-152-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-144-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-154-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-116-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-156-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-157-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-158-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-159-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-160-0x0000000000ED1000-0x0000000000ED3000-memory.dmpFilesize
8KB
-
memory/2736-161-0x0000000000ED1000-0x0000000000ED3000-memory.dmpFilesize
8KB
-
memory/2736-162-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-163-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2736-169-0x0000000000ED0000-0x00000000011EF000-memory.dmpFilesize
3.1MB
-
memory/2736-184-0x0000000000ED0000-0x00000000011EF000-memory.dmpFilesize
3.1MB
-
memory/2736-185-0x00000000032A0000-0x00000000032E4000-memory.dmpFilesize
272KB
-
memory/4248-254-0x0000000002E90000-0x0000000002ED4000-memory.dmpFilesize
272KB
-
memory/4248-255-0x0000000000B30000-0x0000000000E4F000-memory.dmpFilesize
3.1MB
-
memory/4248-253-0x0000000000B30000-0x0000000000E4F000-memory.dmpFilesize
3.1MB
-
memory/4248-252-0x0000000000B30000-0x0000000000E4F000-memory.dmpFilesize
3.1MB
-
memory/4248-251-0x0000000002E90000-0x0000000002ED4000-memory.dmpFilesize
272KB
-
memory/4248-198-0x0000000000B30000-0x0000000000E4F000-memory.dmpFilesize
3.1MB
-
memory/4316-232-0x0000000000000000-mapping.dmp
-
memory/4788-171-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-170-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-174-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-175-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-165-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-183-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-172-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-179-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-164-0x0000000000000000-mapping.dmp
-
memory/4788-173-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-168-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-167-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-166-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-177-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-176-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-180-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-181-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-182-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4788-178-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB