Analysis
-
max time kernel
170s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 03:53
Static task
static1
General
-
Target
bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe
-
Size
1.8MB
-
MD5
63ee2bb19f0a90f4cb217fa18a7c06a2
-
SHA1
6dd22dc58c32236a22277c776adceb84f008359e
-
SHA256
bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd
-
SHA512
9c2b027ff2f232245af0202c6035788ff5aca4f43a6bc1c987b9218130b634cf0ad7b090a51dc005155f4b7f9f3ae1b0b0e7e512906a784325cda9631caefb8c
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 480 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exeoobeldr.exepid process 4640 bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe 4640 bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe 480 oobeldr.exe 480 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5116 schtasks.exe 5068 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exeoobeldr.exepid process 4640 bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe 4640 bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe 4640 bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe 4640 bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe 480 oobeldr.exe 480 oobeldr.exe 480 oobeldr.exe 480 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exeoobeldr.exedescription pid process target process PID 4640 wrote to memory of 5116 4640 bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe schtasks.exe PID 4640 wrote to memory of 5116 4640 bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe schtasks.exe PID 4640 wrote to memory of 5116 4640 bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe schtasks.exe PID 480 wrote to memory of 5068 480 oobeldr.exe schtasks.exe PID 480 wrote to memory of 5068 480 oobeldr.exe schtasks.exe PID 480 wrote to memory of 5068 480 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe"C:\Users\Admin\AppData\Local\Temp\bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD563ee2bb19f0a90f4cb217fa18a7c06a2
SHA16dd22dc58c32236a22277c776adceb84f008359e
SHA256bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd
SHA5129c2b027ff2f232245af0202c6035788ff5aca4f43a6bc1c987b9218130b634cf0ad7b090a51dc005155f4b7f9f3ae1b0b0e7e512906a784325cda9631caefb8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD563ee2bb19f0a90f4cb217fa18a7c06a2
SHA16dd22dc58c32236a22277c776adceb84f008359e
SHA256bd41eb88a8931214d5936b953e23afd0f454e569f59f55a578dd0ad02fd67ebd
SHA5129c2b027ff2f232245af0202c6035788ff5aca4f43a6bc1c987b9218130b634cf0ad7b090a51dc005155f4b7f9f3ae1b0b0e7e512906a784325cda9631caefb8c
-
memory/480-156-0x00000000003D0000-0x00000000006EF000-memory.dmpFilesize
3.1MB
-
memory/480-155-0x0000000000B00000-0x0000000000B44000-memory.dmpFilesize
272KB
-
memory/480-154-0x00000000003D0000-0x00000000006EF000-memory.dmpFilesize
3.1MB
-
memory/480-152-0x00000000003D0000-0x00000000006EF000-memory.dmpFilesize
3.1MB
-
memory/480-153-0x0000000077500000-0x00000000776A3000-memory.dmpFilesize
1.6MB
-
memory/480-150-0x00000000003D1000-0x00000000003D3000-memory.dmpFilesize
8KB
-
memory/480-148-0x0000000000B00000-0x0000000000B44000-memory.dmpFilesize
272KB
-
memory/480-147-0x00000000003D0000-0x00000000006EF000-memory.dmpFilesize
3.1MB
-
memory/4640-135-0x0000000000080000-0x000000000039F000-memory.dmpFilesize
3.1MB
-
memory/4640-143-0x0000000077500000-0x00000000776A3000-memory.dmpFilesize
1.6MB
-
memory/4640-142-0x0000000000080000-0x000000000039F000-memory.dmpFilesize
3.1MB
-
memory/4640-140-0x0000000077500000-0x00000000776A3000-memory.dmpFilesize
1.6MB
-
memory/4640-138-0x0000000000081000-0x0000000000083000-memory.dmpFilesize
8KB
-
memory/4640-139-0x0000000000080000-0x000000000039F000-memory.dmpFilesize
3.1MB
-
memory/4640-132-0x0000000000080000-0x000000000039F000-memory.dmpFilesize
3.1MB
-
memory/4640-137-0x0000000000080000-0x000000000039F000-memory.dmpFilesize
3.1MB
-
memory/4640-136-0x0000000000081000-0x0000000000083000-memory.dmpFilesize
8KB
-
memory/4640-134-0x00000000030F0000-0x0000000003134000-memory.dmpFilesize
272KB
-
memory/4640-133-0x0000000000080000-0x000000000039F000-memory.dmpFilesize
3.1MB
-
memory/5068-151-0x0000000000000000-mapping.dmp
-
memory/5116-141-0x0000000000000000-mapping.dmp