Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
67s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2022, 19:25
Static task
static1
General
-
Target
b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe
-
Size
1.8MB
-
MD5
3f16503c9c363f3ada46a5718e4ad98e
-
SHA1
9ccff0c044bb392db3376006bfc7d0b44ffc75e5
-
SHA256
b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0
-
SHA512
a832f5aa0c9b35b4576d23fdada21fa309efb07ab0f5d8a9c275d8ebf352552442d76f3232d81e33545787eaad5dd7bfbeed42f9661473ece6eef3e50bb72746
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe -
Executes dropped EXE 1 IoCs
pid Process 5036 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4656 b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe 4656 b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe 5036 oobeldr.exe 5036 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4892 schtasks.exe 2796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4656 b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe 4656 b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe 4656 b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe 4656 b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe 5036 oobeldr.exe 5036 oobeldr.exe 5036 oobeldr.exe 5036 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4656 wrote to memory of 4892 4656 b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe 81 PID 4656 wrote to memory of 4892 4656 b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe 81 PID 4656 wrote to memory of 4892 4656 b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe 81 PID 5036 wrote to memory of 2796 5036 oobeldr.exe 92 PID 5036 wrote to memory of 2796 5036 oobeldr.exe 92 PID 5036 wrote to memory of 2796 5036 oobeldr.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe"C:\Users\Admin\AppData\Local\Temp\b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:4892
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:2796
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD53f16503c9c363f3ada46a5718e4ad98e
SHA19ccff0c044bb392db3376006bfc7d0b44ffc75e5
SHA256b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0
SHA512a832f5aa0c9b35b4576d23fdada21fa309efb07ab0f5d8a9c275d8ebf352552442d76f3232d81e33545787eaad5dd7bfbeed42f9661473ece6eef3e50bb72746
-
Filesize
1.8MB
MD53f16503c9c363f3ada46a5718e4ad98e
SHA19ccff0c044bb392db3376006bfc7d0b44ffc75e5
SHA256b7abf3965ad21c9abdd8a54d36c5b28beeefe13948bd5c1ff9d27195b20024f0
SHA512a832f5aa0c9b35b4576d23fdada21fa309efb07ab0f5d8a9c275d8ebf352552442d76f3232d81e33545787eaad5dd7bfbeed42f9661473ece6eef3e50bb72746