Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 05:27
Static task
static1
General
-
Target
1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe
-
Size
1.8MB
-
MD5
e4df8d6ecb435dc88efd16702e7efe88
-
SHA1
a52bee4e82ed627c5d18b7afcf7000c47f6a6224
-
SHA256
1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8
-
SHA512
42b6bbaf2e764f5222fb20a5cee1aeb1862f180312bfa243c9b41ae3d32b02265adbbad95146964700af522905aa886414313144671974d7cc5afd8fecb8f9eb
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 3696 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exeoobeldr.exepid process 4528 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe 4528 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe 3696 oobeldr.exe 3696 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4648 schtasks.exe 4408 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exeoobeldr.exepid process 4528 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe 4528 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe 4528 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe 4528 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe 3696 oobeldr.exe 3696 oobeldr.exe 3696 oobeldr.exe 3696 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exeoobeldr.exedescription pid process target process PID 4528 wrote to memory of 4648 4528 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe schtasks.exe PID 4528 wrote to memory of 4648 4528 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe schtasks.exe PID 4528 wrote to memory of 4648 4528 1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe schtasks.exe PID 3696 wrote to memory of 4408 3696 oobeldr.exe schtasks.exe PID 3696 wrote to memory of 4408 3696 oobeldr.exe schtasks.exe PID 3696 wrote to memory of 4408 3696 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe"C:\Users\Admin\AppData\Local\Temp\1bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5e4df8d6ecb435dc88efd16702e7efe88
SHA1a52bee4e82ed627c5d18b7afcf7000c47f6a6224
SHA2561bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8
SHA51242b6bbaf2e764f5222fb20a5cee1aeb1862f180312bfa243c9b41ae3d32b02265adbbad95146964700af522905aa886414313144671974d7cc5afd8fecb8f9eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD5e4df8d6ecb435dc88efd16702e7efe88
SHA1a52bee4e82ed627c5d18b7afcf7000c47f6a6224
SHA2561bfb354637417a53201e4af621cc34bf2113b0bce97d70dac9cf68a2940da6c8
SHA51242b6bbaf2e764f5222fb20a5cee1aeb1862f180312bfa243c9b41ae3d32b02265adbbad95146964700af522905aa886414313144671974d7cc5afd8fecb8f9eb
-
memory/3696-155-0x00000000014B0000-0x00000000014F4000-memory.dmpFilesize
272KB
-
memory/3696-154-0x0000000000C50000-0x0000000000F6F000-memory.dmpFilesize
3.1MB
-
memory/3696-153-0x0000000077380000-0x0000000077523000-memory.dmpFilesize
1.6MB
-
memory/3696-152-0x00000000014B0000-0x00000000014F4000-memory.dmpFilesize
272KB
-
memory/3696-151-0x0000000000C50000-0x0000000000F6F000-memory.dmpFilesize
3.1MB
-
memory/3696-149-0x0000000000C51000-0x0000000000C53000-memory.dmpFilesize
8KB
-
memory/3696-147-0x0000000000C50000-0x0000000000F6F000-memory.dmpFilesize
3.1MB
-
memory/4408-150-0x0000000000000000-mapping.dmp
-
memory/4528-137-0x0000000000CB1000-0x0000000000CB3000-memory.dmpFilesize
8KB
-
memory/4528-143-0x00000000008D0000-0x0000000000914000-memory.dmpFilesize
272KB
-
memory/4528-144-0x0000000077380000-0x0000000077523000-memory.dmpFilesize
1.6MB
-
memory/4528-142-0x0000000000CB0000-0x0000000000FCF000-memory.dmpFilesize
3.1MB
-
memory/4528-141-0x0000000077380000-0x0000000077523000-memory.dmpFilesize
1.6MB
-
memory/4528-138-0x0000000000CB0000-0x0000000000FCF000-memory.dmpFilesize
3.1MB
-
memory/4528-139-0x0000000000CB1000-0x0000000000CB3000-memory.dmpFilesize
8KB
-
memory/4528-132-0x0000000000CB0000-0x0000000000FCF000-memory.dmpFilesize
3.1MB
-
memory/4528-136-0x0000000000CB0000-0x0000000000FCF000-memory.dmpFilesize
3.1MB
-
memory/4528-135-0x0000000000CB0000-0x0000000000FCF000-memory.dmpFilesize
3.1MB
-
memory/4528-134-0x0000000000CB0000-0x0000000000FCF000-memory.dmpFilesize
3.1MB
-
memory/4528-133-0x00000000008D0000-0x0000000000914000-memory.dmpFilesize
272KB
-
memory/4648-140-0x0000000000000000-mapping.dmp