Analysis
-
max time kernel
91s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 05:32
Static task
static1
General
-
Target
6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe
-
Size
1.8MB
-
MD5
3a4ed70d244459f9b76b6069119de207
-
SHA1
d8f1bfb88d1b97e50743b799e840879e7d2ad031
-
SHA256
6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b
-
SHA512
74f5838a012d38e43074004aacf2d7860d570c91481ffd2d09a046d890a4986d0208dff9e23d60429a9ea777f4a88903ede3e4263bbd6ed150d2378457622da2
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 4968 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exeoobeldr.exepid process 4772 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe 4772 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe 4968 oobeldr.exe 4968 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exeoobeldr.exepid process 4772 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe 4772 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe 4772 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe 4772 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe 4968 oobeldr.exe 4968 oobeldr.exe 4968 oobeldr.exe 4968 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exeoobeldr.exedescription pid process target process PID 4772 wrote to memory of 968 4772 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe schtasks.exe PID 4772 wrote to memory of 968 4772 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe schtasks.exe PID 4772 wrote to memory of 968 4772 6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe schtasks.exe PID 4968 wrote to memory of 4324 4968 oobeldr.exe schtasks.exe PID 4968 wrote to memory of 4324 4968 oobeldr.exe schtasks.exe PID 4968 wrote to memory of 4324 4968 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe"C:\Users\Admin\AppData\Local\Temp\6bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD53a4ed70d244459f9b76b6069119de207
SHA1d8f1bfb88d1b97e50743b799e840879e7d2ad031
SHA2566bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b
SHA51274f5838a012d38e43074004aacf2d7860d570c91481ffd2d09a046d890a4986d0208dff9e23d60429a9ea777f4a88903ede3e4263bbd6ed150d2378457622da2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD53a4ed70d244459f9b76b6069119de207
SHA1d8f1bfb88d1b97e50743b799e840879e7d2ad031
SHA2566bdac7e2d386881cf3c3ab18c20e35ced38fb6b3d11ef6a603caf5ba279e935b
SHA51274f5838a012d38e43074004aacf2d7860d570c91481ffd2d09a046d890a4986d0208dff9e23d60429a9ea777f4a88903ede3e4263bbd6ed150d2378457622da2
-
memory/968-139-0x0000000000000000-mapping.dmp
-
memory/4324-151-0x0000000000000000-mapping.dmp
-
memory/4772-137-0x00000000002B1000-0x00000000002B3000-memory.dmpFilesize
8KB
-
memory/4772-132-0x00000000002B0000-0x00000000005CF000-memory.dmpFilesize
3.1MB
-
memory/4772-138-0x00000000002B1000-0x00000000002B3000-memory.dmpFilesize
8KB
-
memory/4772-136-0x00000000002B0000-0x00000000005CF000-memory.dmpFilesize
3.1MB
-
memory/4772-140-0x00000000002B0000-0x00000000005CF000-memory.dmpFilesize
3.1MB
-
memory/4772-141-0x0000000077A70000-0x0000000077C13000-memory.dmpFilesize
1.6MB
-
memory/4772-135-0x00000000002B0000-0x00000000005CF000-memory.dmpFilesize
3.1MB
-
memory/4772-134-0x00000000030D0000-0x0000000003114000-memory.dmpFilesize
272KB
-
memory/4772-133-0x00000000002B0000-0x00000000005CF000-memory.dmpFilesize
3.1MB
-
memory/4968-145-0x00000000003D0000-0x00000000006EF000-memory.dmpFilesize
3.1MB
-
memory/4968-146-0x00000000027A0000-0x00000000027E4000-memory.dmpFilesize
272KB
-
memory/4968-147-0x00000000003D0000-0x00000000006EF000-memory.dmpFilesize
3.1MB
-
memory/4968-148-0x0000000077A70000-0x0000000077C13000-memory.dmpFilesize
1.6MB
-
memory/4968-150-0x00000000003D1000-0x00000000003D3000-memory.dmpFilesize
8KB
-
memory/4968-144-0x00000000003D0000-0x00000000006EF000-memory.dmpFilesize
3.1MB
-
memory/4968-152-0x00000000003D0000-0x00000000006EF000-memory.dmpFilesize
3.1MB
-
memory/4968-153-0x00000000027A0000-0x00000000027E4000-memory.dmpFilesize
272KB
-
memory/4968-154-0x0000000077A70000-0x0000000077C13000-memory.dmpFilesize
1.6MB