Analysis
-
max time kernel
90s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 04:42
Static task
static1
General
-
Target
d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe
-
Size
1.8MB
-
MD5
84d4f5883f0420bd2f1318847fdf6dc4
-
SHA1
ba0fc02e7ebcefa8b916450498dcf303d075a6d7
-
SHA256
d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6
-
SHA512
bdac8de434232a73fdf602b1dee4aeb647e83539b112911425ab246aeab2f81182fb9c3a7ad53b470dfc232c72a2e449455a386f60272287bb6127310351c2a0
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 1892 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exeoobeldr.exepid process 520 d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe 520 d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe 1892 oobeldr.exe 1892 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2072 schtasks.exe 5080 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exeoobeldr.exepid process 520 d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe 520 d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe 520 d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe 520 d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe 1892 oobeldr.exe 1892 oobeldr.exe 1892 oobeldr.exe 1892 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exeoobeldr.exedescription pid process target process PID 520 wrote to memory of 2072 520 d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe schtasks.exe PID 520 wrote to memory of 2072 520 d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe schtasks.exe PID 520 wrote to memory of 2072 520 d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe schtasks.exe PID 1892 wrote to memory of 5080 1892 oobeldr.exe schtasks.exe PID 1892 wrote to memory of 5080 1892 oobeldr.exe schtasks.exe PID 1892 wrote to memory of 5080 1892 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe"C:\Users\Admin\AppData\Local\Temp\d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD584d4f5883f0420bd2f1318847fdf6dc4
SHA1ba0fc02e7ebcefa8b916450498dcf303d075a6d7
SHA256d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6
SHA512bdac8de434232a73fdf602b1dee4aeb647e83539b112911425ab246aeab2f81182fb9c3a7ad53b470dfc232c72a2e449455a386f60272287bb6127310351c2a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD584d4f5883f0420bd2f1318847fdf6dc4
SHA1ba0fc02e7ebcefa8b916450498dcf303d075a6d7
SHA256d14e33bd84ffade39be39008082b658476d2ecb7917b8eab39db40a0bf481ab6
SHA512bdac8de434232a73fdf602b1dee4aeb647e83539b112911425ab246aeab2f81182fb9c3a7ad53b470dfc232c72a2e449455a386f60272287bb6127310351c2a0
-
memory/520-142-0x0000000000E70000-0x000000000118F000-memory.dmpFilesize
3.1MB
-
memory/520-134-0x0000000000C40000-0x0000000000C84000-memory.dmpFilesize
272KB
-
memory/520-136-0x0000000000E70000-0x000000000118F000-memory.dmpFilesize
3.1MB
-
memory/520-137-0x0000000000E71000-0x0000000000E73000-memory.dmpFilesize
8KB
-
memory/520-138-0x0000000000E71000-0x0000000000E73000-memory.dmpFilesize
8KB
-
memory/520-133-0x0000000000E70000-0x000000000118F000-memory.dmpFilesize
3.1MB
-
memory/520-140-0x0000000000E70000-0x000000000118F000-memory.dmpFilesize
3.1MB
-
memory/520-141-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/520-132-0x0000000000E70000-0x000000000118F000-memory.dmpFilesize
3.1MB
-
memory/520-143-0x0000000000C40000-0x0000000000C84000-memory.dmpFilesize
272KB
-
memory/520-144-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/520-135-0x0000000000E70000-0x000000000118F000-memory.dmpFilesize
3.1MB
-
memory/1892-147-0x0000000000290000-0x00000000005AF000-memory.dmpFilesize
3.1MB
-
memory/1892-149-0x0000000000291000-0x0000000000293000-memory.dmpFilesize
8KB
-
memory/1892-151-0x0000000000290000-0x00000000005AF000-memory.dmpFilesize
3.1MB
-
memory/1892-152-0x0000000002770000-0x00000000027B4000-memory.dmpFilesize
272KB
-
memory/1892-153-0x0000000077B60000-0x0000000077D03000-memory.dmpFilesize
1.6MB
-
memory/1892-154-0x0000000000290000-0x00000000005AF000-memory.dmpFilesize
3.1MB
-
memory/1892-155-0x0000000002770000-0x00000000027B4000-memory.dmpFilesize
272KB
-
memory/2072-139-0x0000000000000000-mapping.dmp
-
memory/5080-150-0x0000000000000000-mapping.dmp