Analysis
-
max time kernel
110s -
max time network
113s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
26-09-2022 01:07
Static task
static1
General
-
Target
cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe
-
Size
1.8MB
-
MD5
d63221de2852a3e1044578f587a3d4f9
-
SHA1
5c79b0102e5635953b3b5130a74aaf3e34c5bbea
-
SHA256
cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3
-
SHA512
caf8244289b7cedad4e6eeca4644e5f2e9cda234a4cabb735ea89acfb087e572af7fea2f66f1988b52d8f032934aa64e901d5b6a1940abdb80c4758adb69e432
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe -
Executes dropped EXE 1 IoCs
pid Process 1432 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1748 cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe 1748 cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe 1432 oobeldr.exe 1432 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3240 schtasks.exe 4796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1748 cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe 1748 cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe 1748 cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe 1748 cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe 1432 oobeldr.exe 1432 oobeldr.exe 1432 oobeldr.exe 1432 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1748 wrote to memory of 3240 1748 cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe 66 PID 1748 wrote to memory of 3240 1748 cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe 66 PID 1748 wrote to memory of 3240 1748 cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe 66 PID 1432 wrote to memory of 4796 1432 oobeldr.exe 69 PID 1432 wrote to memory of 4796 1432 oobeldr.exe 69 PID 1432 wrote to memory of 4796 1432 oobeldr.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe"C:\Users\Admin\AppData\Local\Temp\cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:3240
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:4796
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5d63221de2852a3e1044578f587a3d4f9
SHA15c79b0102e5635953b3b5130a74aaf3e34c5bbea
SHA256cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3
SHA512caf8244289b7cedad4e6eeca4644e5f2e9cda234a4cabb735ea89acfb087e572af7fea2f66f1988b52d8f032934aa64e901d5b6a1940abdb80c4758adb69e432
-
Filesize
1.8MB
MD5d63221de2852a3e1044578f587a3d4f9
SHA15c79b0102e5635953b3b5130a74aaf3e34c5bbea
SHA256cac6c7c315b35e0a16cf56bb4763d0a5f83f508c4b0aaaf95ea639d1d136c4d3
SHA512caf8244289b7cedad4e6eeca4644e5f2e9cda234a4cabb735ea89acfb087e572af7fea2f66f1988b52d8f032934aa64e901d5b6a1940abdb80c4758adb69e432