Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 06:41
Static task
static1
General
-
Target
9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe
-
Size
1.8MB
-
MD5
03f7d1eb5147e8c504a3ddc393739638
-
SHA1
ccd5ddf7a8c5ca46b7589292a146ee7b52065a3a
-
SHA256
9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007
-
SHA512
eb91697bc3cad33db7c82b209fe92bf0780500ca571157bb43181a19718d4500cfc685f131a8ec6868331ecd95af18001b08801bb70a9b3ec38f992cfd54230d
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 1640 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
oobeldr.exe9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe -
Processes:
9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exeoobeldr.exepid process 4948 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe 4948 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe 1640 oobeldr.exe 1640 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1212 schtasks.exe 5076 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exeoobeldr.exepid process 4948 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe 4948 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe 4948 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe 4948 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe 1640 oobeldr.exe 1640 oobeldr.exe 1640 oobeldr.exe 1640 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exeoobeldr.exedescription pid process target process PID 4948 wrote to memory of 1212 4948 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe schtasks.exe PID 4948 wrote to memory of 1212 4948 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe schtasks.exe PID 4948 wrote to memory of 1212 4948 9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe schtasks.exe PID 1640 wrote to memory of 5076 1640 oobeldr.exe schtasks.exe PID 1640 wrote to memory of 5076 1640 oobeldr.exe schtasks.exe PID 1640 wrote to memory of 5076 1640 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe"C:\Users\Admin\AppData\Local\Temp\9e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD503f7d1eb5147e8c504a3ddc393739638
SHA1ccd5ddf7a8c5ca46b7589292a146ee7b52065a3a
SHA2569e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007
SHA512eb91697bc3cad33db7c82b209fe92bf0780500ca571157bb43181a19718d4500cfc685f131a8ec6868331ecd95af18001b08801bb70a9b3ec38f992cfd54230d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
1.8MB
MD503f7d1eb5147e8c504a3ddc393739638
SHA1ccd5ddf7a8c5ca46b7589292a146ee7b52065a3a
SHA2569e80882513f78fdc3c35a891d08830cd64d6a013b8b3f866e8d750116d9d2007
SHA512eb91697bc3cad33db7c82b209fe92bf0780500ca571157bb43181a19718d4500cfc685f131a8ec6868331ecd95af18001b08801bb70a9b3ec38f992cfd54230d
-
memory/1212-141-0x0000000000000000-mapping.dmp
-
memory/1640-155-0x0000000002ED0000-0x0000000002F14000-memory.dmpFilesize
272KB
-
memory/1640-154-0x0000000000BC0000-0x0000000000EDF000-memory.dmpFilesize
3.1MB
-
memory/1640-153-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/1640-152-0x0000000000BC0000-0x0000000000EDF000-memory.dmpFilesize
3.1MB
-
memory/1640-150-0x0000000000BC1000-0x0000000000BC3000-memory.dmpFilesize
8KB
-
memory/1640-149-0x0000000002ED0000-0x0000000002F14000-memory.dmpFilesize
272KB
-
memory/1640-148-0x0000000000BC0000-0x0000000000EDF000-memory.dmpFilesize
3.1MB
-
memory/1640-146-0x0000000000BC0000-0x0000000000EDF000-memory.dmpFilesize
3.1MB
-
memory/4948-137-0x0000000000C90000-0x0000000000FAF000-memory.dmpFilesize
3.1MB
-
memory/4948-143-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/4948-142-0x0000000000C90000-0x0000000000FAF000-memory.dmpFilesize
3.1MB
-
memory/4948-140-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/4948-135-0x0000000000C90000-0x0000000000FAF000-memory.dmpFilesize
3.1MB
-
memory/4948-139-0x0000000000C90000-0x0000000000FAF000-memory.dmpFilesize
3.1MB
-
memory/4948-132-0x0000000000C90000-0x0000000000FAF000-memory.dmpFilesize
3.1MB
-
memory/4948-138-0x0000000000C91000-0x0000000000C93000-memory.dmpFilesize
8KB
-
memory/4948-136-0x0000000000C91000-0x0000000000C93000-memory.dmpFilesize
8KB
-
memory/4948-134-0x0000000002AE0000-0x0000000002B24000-memory.dmpFilesize
272KB
-
memory/4948-133-0x0000000000C90000-0x0000000000FAF000-memory.dmpFilesize
3.1MB
-
memory/5076-151-0x0000000000000000-mapping.dmp