Analysis
-
max time kernel
87s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 06:15
Static task
static1
General
-
Target
8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe
-
Size
1.8MB
-
MD5
6d1943fbc89a0b49b526eaf2f6b29a12
-
SHA1
49ded11616c4e60f1d76e74201405c19b620f3e4
-
SHA256
8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479
-
SHA512
f6b75111d760509fee077280521ac4ac5812d931acd8a5f0cf73f8bdaa1b20d3859c8b1f3285bf7a601a33093bb7a2b33042859725d87371c6d1e60a24139151
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 4264 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exeoobeldr.exepid process 3136 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe 3136 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe 4264 oobeldr.exe 4264 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3824 schtasks.exe 1732 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exeoobeldr.exepid process 3136 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe 3136 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe 3136 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe 3136 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe 4264 oobeldr.exe 4264 oobeldr.exe 4264 oobeldr.exe 4264 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exeoobeldr.exedescription pid process target process PID 3136 wrote to memory of 3824 3136 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe schtasks.exe PID 3136 wrote to memory of 3824 3136 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe schtasks.exe PID 3136 wrote to memory of 3824 3136 8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe schtasks.exe PID 4264 wrote to memory of 1732 4264 oobeldr.exe schtasks.exe PID 4264 wrote to memory of 1732 4264 oobeldr.exe schtasks.exe PID 4264 wrote to memory of 1732 4264 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe"C:\Users\Admin\AppData\Local\Temp\8f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD56d1943fbc89a0b49b526eaf2f6b29a12
SHA149ded11616c4e60f1d76e74201405c19b620f3e4
SHA2568f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479
SHA512f6b75111d760509fee077280521ac4ac5812d931acd8a5f0cf73f8bdaa1b20d3859c8b1f3285bf7a601a33093bb7a2b33042859725d87371c6d1e60a24139151
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD56d1943fbc89a0b49b526eaf2f6b29a12
SHA149ded11616c4e60f1d76e74201405c19b620f3e4
SHA2568f2621be73adf509471ab611032f457348b97db11e84098cd2188f0b748a8479
SHA512f6b75111d760509fee077280521ac4ac5812d931acd8a5f0cf73f8bdaa1b20d3859c8b1f3285bf7a601a33093bb7a2b33042859725d87371c6d1e60a24139151
-
memory/1732-152-0x0000000000000000-mapping.dmp
-
memory/3136-142-0x0000000000D00000-0x0000000000D44000-memory.dmpFilesize
272KB
-
memory/3136-133-0x00000000009A0000-0x0000000000CBF000-memory.dmpFilesize
3.1MB
-
memory/3136-137-0x00000000775B0000-0x0000000077753000-memory.dmpFilesize
1.6MB
-
memory/3136-138-0x00000000009A1000-0x00000000009A3000-memory.dmpFilesize
8KB
-
memory/3136-139-0x00000000009A1000-0x00000000009A3000-memory.dmpFilesize
8KB
-
memory/3136-136-0x00000000009A0000-0x0000000000CBF000-memory.dmpFilesize
3.1MB
-
memory/3136-141-0x00000000009A0000-0x0000000000CBF000-memory.dmpFilesize
3.1MB
-
memory/3136-132-0x00000000009A0000-0x0000000000CBF000-memory.dmpFilesize
3.1MB
-
memory/3136-143-0x00000000775B0000-0x0000000077753000-memory.dmpFilesize
1.6MB
-
memory/3136-135-0x00000000009A0000-0x0000000000CBF000-memory.dmpFilesize
3.1MB
-
memory/3136-134-0x0000000000D00000-0x0000000000D44000-memory.dmpFilesize
272KB
-
memory/3824-140-0x0000000000000000-mapping.dmp
-
memory/4264-148-0x0000000000560000-0x000000000087F000-memory.dmpFilesize
3.1MB
-
memory/4264-149-0x0000000002700000-0x0000000002744000-memory.dmpFilesize
272KB
-
memory/4264-150-0x00000000775B0000-0x0000000077753000-memory.dmpFilesize
1.6MB
-
memory/4264-151-0x0000000000561000-0x0000000000563000-memory.dmpFilesize
8KB
-
memory/4264-146-0x0000000000560000-0x000000000087F000-memory.dmpFilesize
3.1MB
-
memory/4264-153-0x0000000000560000-0x000000000087F000-memory.dmpFilesize
3.1MB
-
memory/4264-154-0x0000000002700000-0x0000000002744000-memory.dmpFilesize
272KB
-
memory/4264-155-0x00000000775B0000-0x0000000077753000-memory.dmpFilesize
1.6MB