Analysis
-
max time kernel
90s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 02:50
Static task
static1
General
-
Target
6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe
-
Size
1.8MB
-
MD5
8d634689f2228a651a505b4195cf47e4
-
SHA1
ed335eac59d5317c3238f83edc9160aee3b17ed3
-
SHA256
6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23
-
SHA512
11eefb24c5cad1eded27cb17e64be70c8ca6992fbde30eed9b346bfd5d2051f91a83b58b7fa51470a2c3faf69d29c9ef3f2207cf562113a1bf26e9d6fc1e51a5
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 1656 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe -
Processes:
6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exeoobeldr.exepid process 3828 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe 3828 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe 1656 oobeldr.exe 1656 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5024 schtasks.exe 1744 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exeoobeldr.exepid process 3828 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe 3828 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe 3828 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe 3828 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe 1656 oobeldr.exe 1656 oobeldr.exe 1656 oobeldr.exe 1656 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exeoobeldr.exedescription pid process target process PID 3828 wrote to memory of 5024 3828 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe schtasks.exe PID 3828 wrote to memory of 5024 3828 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe schtasks.exe PID 3828 wrote to memory of 5024 3828 6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe schtasks.exe PID 1656 wrote to memory of 1744 1656 oobeldr.exe schtasks.exe PID 1656 wrote to memory of 1744 1656 oobeldr.exe schtasks.exe PID 1656 wrote to memory of 1744 1656 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe"C:\Users\Admin\AppData\Local\Temp\6527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD58d634689f2228a651a505b4195cf47e4
SHA1ed335eac59d5317c3238f83edc9160aee3b17ed3
SHA2566527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23
SHA51211eefb24c5cad1eded27cb17e64be70c8ca6992fbde30eed9b346bfd5d2051f91a83b58b7fa51470a2c3faf69d29c9ef3f2207cf562113a1bf26e9d6fc1e51a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD58d634689f2228a651a505b4195cf47e4
SHA1ed335eac59d5317c3238f83edc9160aee3b17ed3
SHA2566527635f3859fa6506bde071768db331f94e2c7d7312fa70af81deefb391cc23
SHA51211eefb24c5cad1eded27cb17e64be70c8ca6992fbde30eed9b346bfd5d2051f91a83b58b7fa51470a2c3faf69d29c9ef3f2207cf562113a1bf26e9d6fc1e51a5
-
memory/1656-148-0x0000000000F50000-0x000000000126F000-memory.dmpFilesize
3.1MB
-
memory/1656-144-0x0000000000F50000-0x000000000126F000-memory.dmpFilesize
3.1MB
-
memory/1656-153-0x0000000001710000-0x0000000001754000-memory.dmpFilesize
272KB
-
memory/1656-152-0x0000000000F50000-0x000000000126F000-memory.dmpFilesize
3.1MB
-
memory/1656-151-0x0000000077180000-0x0000000077323000-memory.dmpFilesize
1.6MB
-
memory/1656-150-0x0000000000F50000-0x000000000126F000-memory.dmpFilesize
3.1MB
-
memory/1656-149-0x0000000001710000-0x0000000001754000-memory.dmpFilesize
272KB
-
memory/1656-146-0x0000000000F51000-0x0000000000F53000-memory.dmpFilesize
8KB
-
memory/1744-147-0x0000000000000000-mapping.dmp
-
memory/3828-132-0x0000000000D10000-0x000000000102F000-memory.dmpFilesize
3.1MB
-
memory/3828-133-0x0000000000D10000-0x000000000102F000-memory.dmpFilesize
3.1MB
-
memory/3828-134-0x0000000002640000-0x0000000002684000-memory.dmpFilesize
272KB
-
memory/3828-141-0x0000000077180000-0x0000000077323000-memory.dmpFilesize
1.6MB
-
memory/3828-135-0x0000000000D10000-0x000000000102F000-memory.dmpFilesize
3.1MB
-
memory/3828-140-0x0000000000D10000-0x000000000102F000-memory.dmpFilesize
3.1MB
-
memory/3828-138-0x0000000000D11000-0x0000000000D13000-memory.dmpFilesize
8KB
-
memory/3828-137-0x0000000000D11000-0x0000000000D13000-memory.dmpFilesize
8KB
-
memory/3828-136-0x0000000000D10000-0x000000000102F000-memory.dmpFilesize
3.1MB
-
memory/5024-139-0x0000000000000000-mapping.dmp