fe969a76931916543135b86299ba3211693c10a745470cc1411a1204acf9e0c5

General

Target

dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
Size

5.7MB
MD5

104dd8e3bf957c6cf7da52c546405ab7
SHA1

2623754939b50204e06d94ae62eb6afc6587f69a
SHA256

dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0
SHA512

435f7b869769d3a1642c84f3b081c5e93e22c4fd96f7aa82c9d8201b539106bddc0b047348d92bc752a6d9afcd97bfe1e84eaa20a036d92593806de7adc99628
SSDEEP

98304:NEp+KwDQdGp//3wHhGizimMxJlqyIZybWHOpjecBF7yx2h5UO1VQxznJZ531:NEp+fDQdGp3wBGgovqZfHOxtBB62DI

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oobeldr.exe

Executes dropped EXE 1 IoCs

Processes:

oobeldr.exe

pid process

596 oobeldr.exe

pid	process
596	oobeldr.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oobeldr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oobeldr.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1204-55-0x00000000009F0000-0x000000000172B000-memory.dmp	themida
behavioral1/memory/1204-58-0x00000000009F0000-0x000000000172B000-memory.dmp	themida
behavioral1/memory/1204-63-0x00000000009F0000-0x000000000172B000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	themida
behavioral1/memory/596-69-0x0000000000F10000-0x0000000001C4B000-memory.dmp	themida
behavioral1/memory/596-70-0x0000000000F10000-0x0000000001C4B000-memory.dmp	themida
behavioral1/memory/596-77-0x0000000000F10000-0x0000000001C4B000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oobeldr.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exe

pid process

1204 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
596 oobeldr.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2044 schtasks.exe
1128 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exe

pid process

1204 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
596 oobeldr.exe

pid	process
1204	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
596	oobeldr.exe

pid	process
2044	schtasks.exe
1128	schtasks.exe

pid	process
1204	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
596	oobeldr.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exetaskeng.exeoobeldr.exe

description	pid	process	target process
PID 1204 wrote to memory of 2044	1204	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe	schtasks.exe
PID 1204 wrote to memory of 2044	1204	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe	schtasks.exe
PID 1204 wrote to memory of 2044	1204	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe	schtasks.exe
PID 1204 wrote to memory of 2044	1204	dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe	schtasks.exe
PID 1528 wrote to memory of 596	1528	taskeng.exe	oobeldr.exe
PID 1528 wrote to memory of 596	1528	taskeng.exe	oobeldr.exe
PID 1528 wrote to memory of 596	1528	taskeng.exe	oobeldr.exe
PID 1528 wrote to memory of 596	1528	taskeng.exe	oobeldr.exe
PID 1528 wrote to memory of 596	1528	taskeng.exe	oobeldr.exe
PID 1528 wrote to memory of 596	1528	taskeng.exe	oobeldr.exe
PID 1528 wrote to memory of 596	1528	taskeng.exe	oobeldr.exe
PID 596 wrote to memory of 1128	596	oobeldr.exe	schtasks.exe
PID 596 wrote to memory of 1128	596	oobeldr.exe	schtasks.exe
PID 596 wrote to memory of 1128	596	oobeldr.exe	schtasks.exe
PID 596 wrote to memory of 1128	596	oobeldr.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
"C:\Users\Admin\AppData\Local\Temp\dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
2⤵
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\taskeng.exe
taskeng.exe {A2E7C844-B589-43EE-A420-D1CFC30B60C9} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
3⤵
- Creates scheduled task(s)
PID:1128

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
5.7MB

MD5
104dd8e3bf957c6cf7da52c546405ab7

SHA1
2623754939b50204e06d94ae62eb6afc6587f69a

SHA256
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0

SHA512
435f7b869769d3a1642c84f3b081c5e93e22c4fd96f7aa82c9d8201b539106bddc0b047348d92bc752a6d9afcd97bfe1e84eaa20a036d92593806de7adc99628

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
5.7MB

MD5
104dd8e3bf957c6cf7da52c546405ab7

SHA1
2623754939b50204e06d94ae62eb6afc6587f69a

SHA256
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0

SHA512
435f7b869769d3a1642c84f3b081c5e93e22c4fd96f7aa82c9d8201b539106bddc0b047348d92bc752a6d9afcd97bfe1e84eaa20a036d92593806de7adc99628

Download Submit
memory/596-66-0x0000000000000000-mapping.dmp

Download
memory/596-78-0x00000000770A0000-0x0000000077220000-memory.dmp

Filesize
1.5MB

Download
memory/596-77-0x0000000000F10000-0x0000000001C4B000-memory.dmp

Filesize
13.2MB

Download
memory/596-76-0x00000000770A0000-0x0000000077220000-memory.dmp

Filesize
1.5MB

Download
memory/596-74-0x0000000000F11000-0x0000000000F13000-memory.dmp

Filesize
8KB

Download
memory/596-70-0x0000000000F10000-0x0000000001C4B000-memory.dmp

Filesize
13.2MB

Download
memory/596-69-0x0000000000F10000-0x0000000001C4B000-memory.dmp

Filesize
13.2MB

Download
memory/1128-75-0x0000000000000000-mapping.dmp

Download
memory/1204-60-0x00000000009F1000-0x00000000009F3000-memory.dmp

Filesize
8KB

Download
memory/1204-64-0x00000000770A0000-0x0000000077220000-memory.dmp

Filesize
1.5MB

Download
memory/1204-63-0x00000000009F0000-0x000000000172B000-memory.dmp

Filesize
13.2MB

Download
memory/1204-62-0x00000000770A0000-0x0000000077220000-memory.dmp

Filesize
1.5MB

Download
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1204-59-0x00000000009F1000-0x00000000009F3000-memory.dmp

Filesize
8KB

Download
memory/1204-58-0x00000000009F0000-0x000000000172B000-memory.dmp

Filesize
13.2MB

Download
memory/1204-55-0x00000000009F0000-0x000000000172B000-memory.dmp

Filesize
13.2MB

Download
memory/2044-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads