15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d

General

Target

15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
Size

1.8MB
MD5

aebde82c0a72cce1dfe6cbc5a7136a03
SHA1

765f4a5f4e92c35856ce2672fe9e37c0d0ac0355
SHA256

15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d
SHA512

80e5f59b2787abe8fe2206e6927ed3b575d85d8ac03074cc6d045a3171720e26f563918d130d62267cc10858e1c12099380ddc09a0651e4ffc43cf3c987e45d5
SSDEEP

49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oobeldr.exe

Executes dropped EXE 1 IoCs

pid	Process
1188	oobeldr.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oobeldr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oobeldr.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oobeldr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4968	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
4968	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
1188	oobeldr.exe
1188	oobeldr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4820	schtasks.exe
3224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4968	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
4968	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
4968	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
4968	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
1188	oobeldr.exe
1188	oobeldr.exe
1188	oobeldr.exe
1188	oobeldr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4820	4968	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe	82
PID 4968 wrote to memory of 4820	4968	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe	82
PID 4968 wrote to memory of 4820	4968	15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe	82
PID 1188 wrote to memory of 3224	1188	oobeldr.exe	92
PID 1188 wrote to memory of 3224	1188	oobeldr.exe	92
PID 1188 wrote to memory of 3224	1188	oobeldr.exe	92

C:\Users\Admin\AppData\Local\Temp\15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe
"C:\Users\Admin\AppData\Local\Temp\15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4820

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
aebde82c0a72cce1dfe6cbc5a7136a03

SHA1
765f4a5f4e92c35856ce2672fe9e37c0d0ac0355

SHA256
15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d

SHA512
80e5f59b2787abe8fe2206e6927ed3b575d85d8ac03074cc6d045a3171720e26f563918d130d62267cc10858e1c12099380ddc09a0651e4ffc43cf3c987e45d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
aebde82c0a72cce1dfe6cbc5a7136a03

SHA1
765f4a5f4e92c35856ce2672fe9e37c0d0ac0355

SHA256
15473e6805c0ce3fc582c63e40fd4b5291c4c366811c2ec8d96621e10fff946d

SHA512
80e5f59b2787abe8fe2206e6927ed3b575d85d8ac03074cc6d045a3171720e26f563918d130d62267cc10858e1c12099380ddc09a0651e4ffc43cf3c987e45d5

Download Submit
memory/1188-152-0x0000000000041000-0x0000000000043000-memory.dmp

Filesize
8KB

Download
memory/1188-154-0x0000000000040000-0x000000000035F000-memory.dmp

Filesize
3.1MB

Download
memory/1188-159-0x0000000000040000-0x000000000035F000-memory.dmp

Filesize
3.1MB

Download
memory/1188-158-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/1188-157-0x0000000000040000-0x000000000035F000-memory.dmp

Filesize
3.1MB

Download
memory/1188-147-0x00000000011D0000-0x0000000001214000-memory.dmp

Filesize
272KB

Download
memory/1188-155-0x0000000000040000-0x000000000035F000-memory.dmp

Filesize
3.1MB

Download
memory/1188-148-0x0000000000040000-0x000000000035F000-memory.dmp

Filesize
3.1MB

Download
memory/1188-151-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/1188-150-0x0000000000040000-0x000000000035F000-memory.dmp

Filesize
3.1MB

Download
memory/1188-146-0x0000000000040000-0x000000000035F000-memory.dmp

Filesize
3.1MB

Download
memory/1188-156-0x00000000011D0000-0x0000000001214000-memory.dmp

Filesize
272KB

Download
memory/4968-143-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/4968-142-0x0000000002B90000-0x0000000002BD4000-memory.dmp

Filesize
272KB

Download
memory/4968-132-0x0000000000600000-0x000000000091F000-memory.dmp

Filesize
3.1MB

Download
memory/4968-141-0x0000000000600000-0x000000000091F000-memory.dmp

Filesize
3.1MB

Download
memory/4968-137-0x0000000000601000-0x0000000000603000-memory.dmp

Filesize
8KB

Download
memory/4968-135-0x0000000000600000-0x000000000091F000-memory.dmp

Filesize
3.1MB

Download
memory/4968-140-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/4968-134-0x0000000002B90000-0x0000000002BD4000-memory.dmp

Filesize
272KB

Download
memory/4968-138-0x0000000000601000-0x0000000000603000-memory.dmp

Filesize
8KB

Download
memory/4968-133-0x0000000000600000-0x000000000091F000-memory.dmp

Filesize
3.1MB

Download
memory/4968-136-0x0000000000600000-0x000000000091F000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads