Analysis
-
max time kernel
106s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 07:29
Static task
static1
General
-
Target
9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe
-
Size
1.8MB
-
MD5
8fb2922b82167c275bbeb54ec76c4f52
-
SHA1
f995cb09ca125146f6551b64b37a4f417f4f45f3
-
SHA256
9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8
-
SHA512
c1b3f5af5c20df1659c14e58cba19a74fb27bc132dd3e60e31d59205875793c9a09ab25fff469f71549cf266a10960c38853a0209e9000f1423b40f79e81580b
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
oobeldr.exe9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 1708 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exeoobeldr.exepid process 4064 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe 4064 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe 1708 oobeldr.exe 1708 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1404 schtasks.exe 3548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exeoobeldr.exepid process 4064 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe 4064 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe 4064 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe 4064 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe 1708 oobeldr.exe 1708 oobeldr.exe 1708 oobeldr.exe 1708 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exeoobeldr.exedescription pid process target process PID 4064 wrote to memory of 1404 4064 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe schtasks.exe PID 4064 wrote to memory of 1404 4064 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe schtasks.exe PID 4064 wrote to memory of 1404 4064 9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe schtasks.exe PID 1708 wrote to memory of 3548 1708 oobeldr.exe schtasks.exe PID 1708 wrote to memory of 3548 1708 oobeldr.exe schtasks.exe PID 1708 wrote to memory of 3548 1708 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe"C:\Users\Admin\AppData\Local\Temp\9d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD58fb2922b82167c275bbeb54ec76c4f52
SHA1f995cb09ca125146f6551b64b37a4f417f4f45f3
SHA2569d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8
SHA512c1b3f5af5c20df1659c14e58cba19a74fb27bc132dd3e60e31d59205875793c9a09ab25fff469f71549cf266a10960c38853a0209e9000f1423b40f79e81580b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD58fb2922b82167c275bbeb54ec76c4f52
SHA1f995cb09ca125146f6551b64b37a4f417f4f45f3
SHA2569d349fddce74d7221a1c83dee99d1f5716ccb46e427da4fa5fa4dc3aa42cc3b8
SHA512c1b3f5af5c20df1659c14e58cba19a74fb27bc132dd3e60e31d59205875793c9a09ab25fff469f71549cf266a10960c38853a0209e9000f1423b40f79e81580b
-
memory/1404-136-0x0000000000000000-mapping.dmp
-
memory/1708-144-0x0000000000E01000-0x0000000000E03000-memory.dmpFilesize
8KB
-
memory/1708-150-0x0000000001620000-0x0000000001664000-memory.dmpFilesize
272KB
-
memory/1708-149-0x0000000000E00000-0x000000000111F000-memory.dmpFilesize
3.1MB
-
memory/1708-148-0x0000000077C70000-0x0000000077E13000-memory.dmpFilesize
1.6MB
-
memory/1708-147-0x0000000001620000-0x0000000001664000-memory.dmpFilesize
272KB
-
memory/1708-146-0x0000000000E00000-0x000000000111F000-memory.dmpFilesize
3.1MB
-
memory/1708-142-0x0000000000E00000-0x000000000111F000-memory.dmpFilesize
3.1MB
-
memory/3548-145-0x0000000000000000-mapping.dmp
-
memory/4064-138-0x0000000000560000-0x000000000087F000-memory.dmpFilesize
3.1MB
-
memory/4064-133-0x0000000000560000-0x000000000087F000-memory.dmpFilesize
3.1MB
-
memory/4064-134-0x0000000000561000-0x0000000000563000-memory.dmpFilesize
8KB
-
memory/4064-139-0x0000000077C70000-0x0000000077E13000-memory.dmpFilesize
1.6MB
-
memory/4064-135-0x0000000000561000-0x0000000000563000-memory.dmpFilesize
8KB
-
memory/4064-137-0x0000000002A20000-0x0000000002A64000-memory.dmpFilesize
272KB
-
memory/4064-132-0x0000000000560000-0x000000000087F000-memory.dmpFilesize
3.1MB