Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 03:24
Static task
static1
General
-
Target
b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe
-
Size
1.8MB
-
MD5
3f030ab8fcfc920904602e6cbfa631a6
-
SHA1
0c897537bcb484036c812ae5a57a0dbd58b7862d
-
SHA256
b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68
-
SHA512
a2a91662194f63799882f8a74b13f6328b92cf5912f2967fb16e558df3fad5476192e74091aee4f0a63e74435552114b6588689b5213496b411328cbf8e47061
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 4432 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
oobeldr.exeb8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exeoobeldr.exepid process 1932 b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe 1932 b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe 4432 oobeldr.exe 4432 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1116 schtasks.exe 2760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exeoobeldr.exepid process 1932 b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe 1932 b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe 1932 b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe 1932 b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe 4432 oobeldr.exe 4432 oobeldr.exe 4432 oobeldr.exe 4432 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exeoobeldr.exedescription pid process target process PID 1932 wrote to memory of 1116 1932 b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe schtasks.exe PID 1932 wrote to memory of 1116 1932 b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe schtasks.exe PID 1932 wrote to memory of 1116 1932 b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe schtasks.exe PID 4432 wrote to memory of 2760 4432 oobeldr.exe schtasks.exe PID 4432 wrote to memory of 2760 4432 oobeldr.exe schtasks.exe PID 4432 wrote to memory of 2760 4432 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe"C:\Users\Admin\AppData\Local\Temp\b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD53f030ab8fcfc920904602e6cbfa631a6
SHA10c897537bcb484036c812ae5a57a0dbd58b7862d
SHA256b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68
SHA512a2a91662194f63799882f8a74b13f6328b92cf5912f2967fb16e558df3fad5476192e74091aee4f0a63e74435552114b6588689b5213496b411328cbf8e47061
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD53f030ab8fcfc920904602e6cbfa631a6
SHA10c897537bcb484036c812ae5a57a0dbd58b7862d
SHA256b8bd3aaece1911e9bb3384f34a95aa3fc87f616c870d543827befaf36f802d68
SHA512a2a91662194f63799882f8a74b13f6328b92cf5912f2967fb16e558df3fad5476192e74091aee4f0a63e74435552114b6588689b5213496b411328cbf8e47061
-
memory/1116-135-0x0000000000000000-mapping.dmp
-
memory/1932-137-0x0000000001000000-0x0000000001044000-memory.dmpFilesize
272KB
-
memory/1932-132-0x00000000009E0000-0x0000000000CFF000-memory.dmpFilesize
3.1MB
-
memory/1932-138-0x00000000009E0000-0x0000000000CFF000-memory.dmpFilesize
3.1MB
-
memory/1932-139-0x00000000009E0000-0x0000000000CFF000-memory.dmpFilesize
3.1MB
-
memory/1932-140-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/1932-141-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/1932-134-0x00000000009E1000-0x00000000009E3000-memory.dmpFilesize
8KB
-
memory/1932-133-0x00000000009E1000-0x00000000009E3000-memory.dmpFilesize
8KB
-
memory/1932-136-0x00000000009E0000-0x0000000000CFF000-memory.dmpFilesize
3.1MB
-
memory/2760-150-0x0000000000000000-mapping.dmp
-
memory/4432-144-0x0000000000B10000-0x0000000000E2F000-memory.dmpFilesize
3.1MB
-
memory/4432-147-0x0000000002E40000-0x0000000002E84000-memory.dmpFilesize
272KB
-
memory/4432-148-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/4432-149-0x0000000000B11000-0x0000000000B13000-memory.dmpFilesize
8KB
-
memory/4432-146-0x0000000000B10000-0x0000000000E2F000-memory.dmpFilesize
3.1MB
-
memory/4432-151-0x0000000000B10000-0x0000000000E2F000-memory.dmpFilesize
3.1MB
-
memory/4432-152-0x0000000002E40000-0x0000000002E84000-memory.dmpFilesize
272KB
-
memory/4432-153-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB