Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
54s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
05/10/2022, 22:11
Static task
static1
General
-
Target
af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe
-
Size
1.8MB
-
MD5
9ab3225057a83adc0c9811eb8cf39563
-
SHA1
80721d06d9b8438a217c1f23bdeb790c6f729582
-
SHA256
af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843
-
SHA512
c38c75f2df30c04d354a7dd9603b75db92dc34cd40d6fe7336f44d5d177f29f514cd8ceb4858c4363b2e777adb09cd7a8d4926cb1eabe328fe6485d62646efbf
-
SSDEEP
49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
pid Process 304 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2888 af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe 2888 af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe 304 oobeldr.exe 304 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2064 schtasks.exe 3420 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2888 af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe 2888 af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe 2888 af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe 2888 af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe 304 oobeldr.exe 304 oobeldr.exe 304 oobeldr.exe 304 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2064 2888 af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe 66 PID 2888 wrote to memory of 2064 2888 af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe 66 PID 2888 wrote to memory of 2064 2888 af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe 66 PID 304 wrote to memory of 3420 304 oobeldr.exe 69 PID 304 wrote to memory of 3420 304 oobeldr.exe 69 PID 304 wrote to memory of 3420 304 oobeldr.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe"C:\Users\Admin\AppData\Local\Temp\af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:2064
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
PID:3420
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD59ab3225057a83adc0c9811eb8cf39563
SHA180721d06d9b8438a217c1f23bdeb790c6f729582
SHA256af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843
SHA512c38c75f2df30c04d354a7dd9603b75db92dc34cd40d6fe7336f44d5d177f29f514cd8ceb4858c4363b2e777adb09cd7a8d4926cb1eabe328fe6485d62646efbf
-
Filesize
1.8MB
MD59ab3225057a83adc0c9811eb8cf39563
SHA180721d06d9b8438a217c1f23bdeb790c6f729582
SHA256af2d30f8bfec1d130c393c0fb4c66af8fb2d23f821a9ea24755e9615af6cc843
SHA512c38c75f2df30c04d354a7dd9603b75db92dc34cd40d6fe7336f44d5d177f29f514cd8ceb4858c4363b2e777adb09cd7a8d4926cb1eabe328fe6485d62646efbf