Analysis
-
max time kernel
64s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 03:34
Static task
static1
General
-
Target
cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe
-
Size
1.8MB
-
MD5
2f8c47a4c14ef78c2218b6a24bce0435
-
SHA1
9b5222917ba909887e4207dcf89818f8ca6aed97
-
SHA256
cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc
-
SHA512
3f5cbae9cf641d3bf7ce39e8fa1d6af51057188887513f10c7507909778f27725a5a2c49e92ef541dbcf6242b2ed26c19226aabd6305be121b4cb1ef70c54088
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 4936 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
oobeldr.execee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe -
Processes:
cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exeoobeldr.exepid process 4696 cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe 4696 cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe 4936 oobeldr.exe 4936 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3564 schtasks.exe 2408 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exeoobeldr.exepid process 4696 cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe 4696 cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe 4696 cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe 4696 cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe 4936 oobeldr.exe 4936 oobeldr.exe 4936 oobeldr.exe 4936 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exeoobeldr.exedescription pid process target process PID 4696 wrote to memory of 3564 4696 cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe schtasks.exe PID 4696 wrote to memory of 3564 4696 cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe schtasks.exe PID 4696 wrote to memory of 3564 4696 cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe schtasks.exe PID 4936 wrote to memory of 2408 4936 oobeldr.exe schtasks.exe PID 4936 wrote to memory of 2408 4936 oobeldr.exe schtasks.exe PID 4936 wrote to memory of 2408 4936 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe"C:\Users\Admin\AppData\Local\Temp\cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD52f8c47a4c14ef78c2218b6a24bce0435
SHA19b5222917ba909887e4207dcf89818f8ca6aed97
SHA256cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc
SHA5123f5cbae9cf641d3bf7ce39e8fa1d6af51057188887513f10c7507909778f27725a5a2c49e92ef541dbcf6242b2ed26c19226aabd6305be121b4cb1ef70c54088
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD52f8c47a4c14ef78c2218b6a24bce0435
SHA19b5222917ba909887e4207dcf89818f8ca6aed97
SHA256cee0f3ad8ecce443c8bbc22dfb616800899712e4f5fb2eaccb4b4e75e557ddcc
SHA5123f5cbae9cf641d3bf7ce39e8fa1d6af51057188887513f10c7507909778f27725a5a2c49e92ef541dbcf6242b2ed26c19226aabd6305be121b4cb1ef70c54088
-
memory/2408-150-0x0000000000000000-mapping.dmp
-
memory/3564-140-0x0000000000000000-mapping.dmp
-
memory/4696-139-0x0000000000BB1000-0x0000000000BB3000-memory.dmpFilesize
8KB
-
memory/4696-134-0x00000000014B0000-0x00000000014F4000-memory.dmpFilesize
272KB
-
memory/4696-132-0x0000000000BB0000-0x0000000000ECF000-memory.dmpFilesize
3.1MB
-
memory/4696-138-0x0000000077270000-0x0000000077413000-memory.dmpFilesize
1.6MB
-
memory/4696-136-0x0000000000BB0000-0x0000000000ECF000-memory.dmpFilesize
3.1MB
-
memory/4696-141-0x0000000000BB0000-0x0000000000ECF000-memory.dmpFilesize
3.1MB
-
memory/4696-142-0x00000000014B0000-0x00000000014F4000-memory.dmpFilesize
272KB
-
memory/4696-143-0x0000000077270000-0x0000000077413000-memory.dmpFilesize
1.6MB
-
memory/4696-135-0x0000000000BB0000-0x0000000000ECF000-memory.dmpFilesize
3.1MB
-
memory/4696-137-0x0000000000BB1000-0x0000000000BB3000-memory.dmpFilesize
8KB
-
memory/4696-133-0x0000000000BB0000-0x0000000000ECF000-memory.dmpFilesize
3.1MB
-
memory/4936-147-0x0000000000F40000-0x000000000125F000-memory.dmpFilesize
3.1MB
-
memory/4936-149-0x0000000000F41000-0x0000000000F43000-memory.dmpFilesize
8KB
-
memory/4936-146-0x0000000000F40000-0x000000000125F000-memory.dmpFilesize
3.1MB
-
memory/4936-151-0x0000000002770000-0x00000000027B4000-memory.dmpFilesize
272KB
-
memory/4936-152-0x0000000000F40000-0x000000000125F000-memory.dmpFilesize
3.1MB
-
memory/4936-153-0x0000000077270000-0x0000000077413000-memory.dmpFilesize
1.6MB
-
memory/4936-154-0x0000000000F40000-0x000000000125F000-memory.dmpFilesize
3.1MB
-
memory/4936-155-0x0000000002770000-0x00000000027B4000-memory.dmpFilesize
272KB
-
memory/4936-156-0x0000000000F40000-0x000000000125F000-memory.dmpFilesize
3.1MB