Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
04/10/2022, 01:49
Static task
static1
General
-
Target
ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe
-
Size
1.8MB
-
MD5
4605742aeb74e2c3122e4f3355010255
-
SHA1
d289bcb6bc2c53aa8a714a528b9cf1f7c04a058c
-
SHA256
ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139
-
SHA512
35415ff0d6aa0561207a98eae4e7543192b8a0c2b7c1423537ea7a80f5a0e0c19f1fa2de81be51e2c26b2941e66336310a16ce9271e5c001f5b4c9ea0037d6ae
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
pid Process 5020 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2720 ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe 2720 ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe 5020 oobeldr.exe 5020 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4700 schtasks.exe 4052 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2720 ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe 2720 ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe 2720 ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe 2720 ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe 5020 oobeldr.exe 5020 oobeldr.exe 5020 oobeldr.exe 5020 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2720 wrote to memory of 4700 2720 ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe 66 PID 2720 wrote to memory of 4700 2720 ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe 66 PID 2720 wrote to memory of 4700 2720 ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe 66 PID 5020 wrote to memory of 4052 5020 oobeldr.exe 69 PID 5020 wrote to memory of 4052 5020 oobeldr.exe 69 PID 5020 wrote to memory of 4052 5020 oobeldr.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe"C:\Users\Admin\AppData\Local\Temp\ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:4700
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:4052
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD54605742aeb74e2c3122e4f3355010255
SHA1d289bcb6bc2c53aa8a714a528b9cf1f7c04a058c
SHA256ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139
SHA51235415ff0d6aa0561207a98eae4e7543192b8a0c2b7c1423537ea7a80f5a0e0c19f1fa2de81be51e2c26b2941e66336310a16ce9271e5c001f5b4c9ea0037d6ae
-
Filesize
1.8MB
MD54605742aeb74e2c3122e4f3355010255
SHA1d289bcb6bc2c53aa8a714a528b9cf1f7c04a058c
SHA256ae275c80704afc1f1ad0bb669b7507656cbb800e28160b8656b88cee4a87c139
SHA51235415ff0d6aa0561207a98eae4e7543192b8a0c2b7c1423537ea7a80f5a0e0c19f1fa2de81be51e2c26b2941e66336310a16ce9271e5c001f5b4c9ea0037d6ae