Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2022, 14:49
Static task
static1
General
-
Target
47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe
-
Size
1.8MB
-
MD5
e27dbc7153904f186e97799eee0c28df
-
SHA1
cd196da7b28c5d3aa921c461c892d9505bdaf31e
-
SHA256
47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c
-
SHA512
778159eba87f446a6eb48faeaf02b08d9d8516d5baf5dd022b8f2705c4e444ff6e53a1b7c5a30df64a93e2738ef86a02e087628932d9b3892c1ac21a6d2111b7
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
pid Process 2100 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1192 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe 1192 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe 2100 oobeldr.exe 2100 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2824 schtasks.exe 3136 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1192 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe 1192 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe 1192 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe 1192 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe 2100 oobeldr.exe 2100 oobeldr.exe 2100 oobeldr.exe 2100 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1192 wrote to memory of 2824 1192 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe 79 PID 1192 wrote to memory of 2824 1192 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe 79 PID 1192 wrote to memory of 2824 1192 47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe 79 PID 2100 wrote to memory of 3136 2100 oobeldr.exe 89 PID 2100 wrote to memory of 3136 2100 oobeldr.exe 89 PID 2100 wrote to memory of 3136 2100 oobeldr.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe"C:\Users\Admin\AppData\Local\Temp\47483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:2824
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:3136
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5e27dbc7153904f186e97799eee0c28df
SHA1cd196da7b28c5d3aa921c461c892d9505bdaf31e
SHA25647483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c
SHA512778159eba87f446a6eb48faeaf02b08d9d8516d5baf5dd022b8f2705c4e444ff6e53a1b7c5a30df64a93e2738ef86a02e087628932d9b3892c1ac21a6d2111b7
-
Filesize
1.8MB
MD5e27dbc7153904f186e97799eee0c28df
SHA1cd196da7b28c5d3aa921c461c892d9505bdaf31e
SHA25647483d0595f7eb01236b2d68240d80a0712368e0ebbebad938f744546c5a989c
SHA512778159eba87f446a6eb48faeaf02b08d9d8516d5baf5dd022b8f2705c4e444ff6e53a1b7c5a30df64a93e2738ef86a02e087628932d9b3892c1ac21a6d2111b7