8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a

General

Target

8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
Size

1.8MB
MD5

6e524d4c8901448b3c6481b4b574d97c
SHA1

279f91fbe2bc18fb93caa79ce1beb893ed3eb3f7
SHA256

8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a
SHA512

7731004f0a9e11cf0d12e391fc7c7e2b92edb5dff1a2d724852eac386dee5c8331ed957e250351be50cbba2dbda6aeba20cb0d1390b892bfabcc052041f14cf2
SSDEEP

49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oobeldr.exe

Executes dropped EXE 1 IoCs

pid	Process
3496	oobeldr.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oobeldr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oobeldr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oobeldr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1804	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
1804	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
3496	oobeldr.exe
3496	oobeldr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3032	schtasks.exe
2504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1804	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
1804	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
1804	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
1804	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
3496	oobeldr.exe
3496	oobeldr.exe
3496	oobeldr.exe
3496	oobeldr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 3032	1804	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe	83
PID 1804 wrote to memory of 3032	1804	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe	83
PID 1804 wrote to memory of 3032	1804	8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe	83
PID 3496 wrote to memory of 2504	3496	oobeldr.exe	93
PID 3496 wrote to memory of 2504	3496	oobeldr.exe	93
PID 3496 wrote to memory of 2504	3496	oobeldr.exe	93

C:\Users\Admin\AppData\Local\Temp\8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe
"C:\Users\Admin\AppData\Local\Temp\8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3032

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
6e524d4c8901448b3c6481b4b574d97c

SHA1
279f91fbe2bc18fb93caa79ce1beb893ed3eb3f7

SHA256
8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a

SHA512
7731004f0a9e11cf0d12e391fc7c7e2b92edb5dff1a2d724852eac386dee5c8331ed957e250351be50cbba2dbda6aeba20cb0d1390b892bfabcc052041f14cf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.8MB

MD5
6e524d4c8901448b3c6481b4b574d97c

SHA1
279f91fbe2bc18fb93caa79ce1beb893ed3eb3f7

SHA256
8d481234b9cb8ea2c2b61d5e8a0a706d1029d0ca2b3887ff3e5af03d27f1963a

SHA512
7731004f0a9e11cf0d12e391fc7c7e2b92edb5dff1a2d724852eac386dee5c8331ed957e250351be50cbba2dbda6aeba20cb0d1390b892bfabcc052041f14cf2

Download Submit
memory/1804-134-0x00000000001A0000-0x00000000004BF000-memory.dmp

Filesize
3.1MB

Download
memory/1804-133-0x0000000002600000-0x0000000002644000-memory.dmp

Filesize
272KB

Download
memory/1804-135-0x00000000001A1000-0x00000000001A3000-memory.dmp

Filesize
8KB

Download
memory/1804-136-0x00000000001A1000-0x00000000001A3000-memory.dmp

Filesize
8KB

Download
memory/1804-132-0x00000000001A0000-0x00000000004BF000-memory.dmp

Filesize
3.1MB

Download
memory/1804-138-0x00000000001A0000-0x00000000004BF000-memory.dmp

Filesize
3.1MB

Download
memory/1804-139-0x0000000002600000-0x0000000002644000-memory.dmp

Filesize
272KB

Download
memory/1804-140-0x0000000077880000-0x0000000077A23000-memory.dmp

Filesize
1.6MB

Download
memory/1804-141-0x0000000077880000-0x0000000077A23000-memory.dmp

Filesize
1.6MB

Download
memory/3496-145-0x0000000000C30000-0x0000000000F4F000-memory.dmp

Filesize
3.1MB

Download
memory/3496-144-0x0000000000C30000-0x0000000000F4F000-memory.dmp

Filesize
3.1MB

Download
memory/3496-147-0x0000000000C31000-0x0000000000C33000-memory.dmp

Filesize
8KB

Download
memory/3496-149-0x00000000015E0000-0x0000000001624000-memory.dmp

Filesize
272KB

Download
memory/3496-150-0x0000000000C30000-0x0000000000F4F000-memory.dmp

Filesize
3.1MB

Download
memory/3496-151-0x0000000077880000-0x0000000077A23000-memory.dmp

Filesize
1.6MB

Download
memory/3496-152-0x0000000000C30000-0x0000000000F4F000-memory.dmp

Filesize
3.1MB

Download
memory/3496-153-0x00000000015E0000-0x0000000001624000-memory.dmp

Filesize
272KB

Download
memory/3496-154-0x0000000000C30000-0x0000000000F4F000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads