Analysis
-
max time kernel
133s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 03:58
Static task
static1
General
-
Target
305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe
-
Size
1.8MB
-
MD5
04206cdf4c07766d9af7aaaf3e7f750f
-
SHA1
773281afa73d822f510ceba8b08f1a923b467d34
-
SHA256
305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944
-
SHA512
7681b99426ad45978cf13d6df77456b44d85c23e3405b9768a7c7a3511524d865cc892e4a512012f9ddda8c524bb27903d4d39488e4df26ab51c928abd291cc8
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 4532 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
oobeldr.exe305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe -
Processes:
305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exeoobeldr.exepid process 4496 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe 4496 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe 4532 oobeldr.exe 4532 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2104 schtasks.exe 4884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exeoobeldr.exepid process 4496 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe 4496 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe 4496 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe 4496 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe 4532 oobeldr.exe 4532 oobeldr.exe 4532 oobeldr.exe 4532 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exeoobeldr.exedescription pid process target process PID 4496 wrote to memory of 4884 4496 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe schtasks.exe PID 4496 wrote to memory of 4884 4496 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe schtasks.exe PID 4496 wrote to memory of 4884 4496 305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe schtasks.exe PID 4532 wrote to memory of 2104 4532 oobeldr.exe schtasks.exe PID 4532 wrote to memory of 2104 4532 oobeldr.exe schtasks.exe PID 4532 wrote to memory of 2104 4532 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe"C:\Users\Admin\AppData\Local\Temp\305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD504206cdf4c07766d9af7aaaf3e7f750f
SHA1773281afa73d822f510ceba8b08f1a923b467d34
SHA256305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944
SHA5127681b99426ad45978cf13d6df77456b44d85c23e3405b9768a7c7a3511524d865cc892e4a512012f9ddda8c524bb27903d4d39488e4df26ab51c928abd291cc8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD504206cdf4c07766d9af7aaaf3e7f750f
SHA1773281afa73d822f510ceba8b08f1a923b467d34
SHA256305b048306208ba215883addc0c6fa0b3010728ae4cdcc99a3c1913d630cd944
SHA5127681b99426ad45978cf13d6df77456b44d85c23e3405b9768a7c7a3511524d865cc892e4a512012f9ddda8c524bb27903d4d39488e4df26ab51c928abd291cc8
-
memory/2104-147-0x0000000000000000-mapping.dmp
-
memory/4496-137-0x0000000000A31000-0x0000000000A33000-memory.dmpFilesize
8KB
-
memory/4496-136-0x0000000000A30000-0x0000000000D4F000-memory.dmpFilesize
3.1MB
-
memory/4496-132-0x0000000000A30000-0x0000000000D4F000-memory.dmpFilesize
3.1MB
-
memory/4496-138-0x0000000000A31000-0x0000000000A33000-memory.dmpFilesize
8KB
-
memory/4496-133-0x0000000000A30000-0x0000000000D4F000-memory.dmpFilesize
3.1MB
-
memory/4496-140-0x0000000000A30000-0x0000000000D4F000-memory.dmpFilesize
3.1MB
-
memory/4496-141-0x0000000077950000-0x0000000077AF3000-memory.dmpFilesize
1.6MB
-
memory/4496-135-0x0000000000A30000-0x0000000000D4F000-memory.dmpFilesize
3.1MB
-
memory/4496-134-0x00000000010D0000-0x0000000001114000-memory.dmpFilesize
272KB
-
memory/4532-144-0x0000000000850000-0x0000000000B6F000-memory.dmpFilesize
3.1MB
-
memory/4532-146-0x0000000000851000-0x0000000000853000-memory.dmpFilesize
8KB
-
memory/4532-148-0x0000000000850000-0x0000000000B6F000-memory.dmpFilesize
3.1MB
-
memory/4532-149-0x0000000000460000-0x00000000004A4000-memory.dmpFilesize
272KB
-
memory/4532-150-0x0000000077950000-0x0000000077AF3000-memory.dmpFilesize
1.6MB
-
memory/4532-151-0x0000000000850000-0x0000000000B6F000-memory.dmpFilesize
3.1MB
-
memory/4532-152-0x0000000000460000-0x00000000004A4000-memory.dmpFilesize
272KB
-
memory/4884-139-0x0000000000000000-mapping.dmp