40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb

General

Target

40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
Size

1.8MB
MD5

6acbe9b80e18017c49e9e79c5b72256c
SHA1

34306e7090d496ad9701889c420e85c5c0adbd8d
SHA256

40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb
SHA512

0b8da54e56622e3b4c8e2f40daf8da5a3168233b8f3ae8f8f5f8db474fd2cc598e9b944b8e48645015c264e12676b20da94d8ea71c9484cd7e7ff6310d52c9b5
SSDEEP

49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oobeldr.exe

Executes dropped EXE 1 IoCs

pid	Process
2032	oobeldr.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oobeldr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oobeldr.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oobeldr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4624	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
4624	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
2032	oobeldr.exe
2032	oobeldr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4248	schtasks.exe
4160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4624	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
4624	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
4624	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
4624	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
2032	oobeldr.exe
2032	oobeldr.exe
2032	oobeldr.exe
2032	oobeldr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4248	4624	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe	77
PID 4624 wrote to memory of 4248	4624	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe	77
PID 4624 wrote to memory of 4248	4624	40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe	77
PID 2032 wrote to memory of 4160	2032	oobeldr.exe	88
PID 2032 wrote to memory of 4160	2032	oobeldr.exe	88
PID 2032 wrote to memory of 4160	2032	oobeldr.exe	88

C:\Users\Admin\AppData\Local\Temp\40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe
"C:\Users\Admin\AppData\Local\Temp\40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4248

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
6acbe9b80e18017c49e9e79c5b72256c

SHA1
34306e7090d496ad9701889c420e85c5c0adbd8d

SHA256
40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb

SHA512
0b8da54e56622e3b4c8e2f40daf8da5a3168233b8f3ae8f8f5f8db474fd2cc598e9b944b8e48645015c264e12676b20da94d8ea71c9484cd7e7ff6310d52c9b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
6acbe9b80e18017c49e9e79c5b72256c

SHA1
34306e7090d496ad9701889c420e85c5c0adbd8d

SHA256
40b09c0b0fc6f1ddb09aa6e5900a03d2d7e87b993ba14a83e7dc168a8ef550cb

SHA512
0b8da54e56622e3b4c8e2f40daf8da5a3168233b8f3ae8f8f5f8db474fd2cc598e9b944b8e48645015c264e12676b20da94d8ea71c9484cd7e7ff6310d52c9b5

Download Submit
memory/2032-155-0x0000000002910000-0x0000000002954000-memory.dmp

Filesize
272KB

Download
memory/2032-154-0x00000000007A0000-0x0000000000ABF000-memory.dmp

Filesize
3.1MB

Download
memory/2032-153-0x0000000077100000-0x00000000772A3000-memory.dmp

Filesize
1.6MB

Download
memory/2032-151-0x00000000007A1000-0x00000000007A3000-memory.dmp

Filesize
8KB

Download
memory/2032-149-0x0000000002910000-0x0000000002954000-memory.dmp

Filesize
272KB

Download
memory/2032-148-0x00000000007A0000-0x0000000000ABF000-memory.dmp

Filesize
3.1MB

Download
memory/2032-147-0x00000000007A0000-0x0000000000ABF000-memory.dmp

Filesize
3.1MB

Download
memory/4624-138-0x0000000000930000-0x0000000000C4F000-memory.dmp

Filesize
3.1MB

Download
memory/4624-144-0x0000000077100000-0x00000000772A3000-memory.dmp

Filesize
1.6MB

Download
memory/4624-143-0x0000000002720000-0x0000000002764000-memory.dmp

Filesize
272KB

Download
memory/4624-142-0x0000000000930000-0x0000000000C4F000-memory.dmp

Filesize
3.1MB

Download
memory/4624-140-0x0000000077100000-0x00000000772A3000-memory.dmp

Filesize
1.6MB

Download
memory/4624-139-0x0000000000931000-0x0000000000933000-memory.dmp

Filesize
8KB

Download
memory/4624-137-0x0000000000931000-0x0000000000933000-memory.dmp

Filesize
8KB

Download
memory/4624-132-0x0000000000930000-0x0000000000C4F000-memory.dmp

Filesize
3.1MB

Download
memory/4624-136-0x0000000000930000-0x0000000000C4F000-memory.dmp

Filesize
3.1MB

Download
memory/4624-135-0x0000000000930000-0x0000000000C4F000-memory.dmp

Filesize
3.1MB

Download
memory/4624-134-0x0000000000930000-0x0000000000C4F000-memory.dmp

Filesize
3.1MB

Download
memory/4624-133-0x0000000002720000-0x0000000002764000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads