Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
01/10/2022, 19:51
General
-
Target
1cdf1fc527c7d244542942a09d9fdbf29b7f099aa6d70f31b7322163cbf65a72.exe
-
Size
1.8MB
-
MD5
40ca3e4641cc4264afd99289964a96c0
-
SHA1
ee251470638d9cd2bc5d4360d1f052530b0bcb58
-
SHA256
1cdf1fc527c7d244542942a09d9fdbf29b7f099aa6d70f31b7322163cbf65a72
-
SHA512
513267e7b65c1c5005a04acdcc7127b0d1051fd7432247e643b2e0f260aa7741537626054ad972ae9d9b2d9fca86f1b4ed7e437db4d941eedd066f873cf5da9c
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cdf1fc527c7d244542942a09d9fdbf29b7f099aa6d70f31b7322163cbf65a72.exe"C:\Users\Admin\AppData\Local\Temp\1cdf1fc527c7d244542942a09d9fdbf29b7f099aa6d70f31b7322163cbf65a72.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD540ca3e4641cc4264afd99289964a96c0
SHA1ee251470638d9cd2bc5d4360d1f052530b0bcb58
SHA2561cdf1fc527c7d244542942a09d9fdbf29b7f099aa6d70f31b7322163cbf65a72
SHA512513267e7b65c1c5005a04acdcc7127b0d1051fd7432247e643b2e0f260aa7741537626054ad972ae9d9b2d9fca86f1b4ed7e437db4d941eedd066f873cf5da9c
-
Filesize
1.8MB
MD540ca3e4641cc4264afd99289964a96c0
SHA1ee251470638d9cd2bc5d4360d1f052530b0bcb58
SHA2561cdf1fc527c7d244542942a09d9fdbf29b7f099aa6d70f31b7322163cbf65a72
SHA512513267e7b65c1c5005a04acdcc7127b0d1051fd7432247e643b2e0f260aa7741537626054ad972ae9d9b2d9fca86f1b4ed7e437db4d941eedd066f873cf5da9c
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
272KB
-
Filesize
3.1MB
-
Filesize
1.6MB
-
Filesize
3.1MB
-
Filesize
272KB
-
Filesize
3.1MB