Analysis
-
max time kernel
60s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 08:46
Behavioral task
behavioral1
Sample
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
Resource
win7-20220901-en
General
-
Target
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
-
Size
5.7MB
-
MD5
104dd8e3bf957c6cf7da52c546405ab7
-
SHA1
2623754939b50204e06d94ae62eb6afc6587f69a
-
SHA256
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0
-
SHA512
435f7b869769d3a1642c84f3b081c5e93e22c4fd96f7aa82c9d8201b539106bddc0b047348d92bc752a6d9afcd97bfe1e84eaa20a036d92593806de7adc99628
-
SSDEEP
98304:NEp+KwDQdGp//3wHhGizimMxJlqyIZybWHOpjecBF7yx2h5UO1VQxznJZ531:NEp+fDQdGp3wBGgovqZfHOxtBB62DI
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 596 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe -
Processes:
resource yara_rule behavioral1/memory/1204-55-0x00000000009F0000-0x000000000172B000-memory.dmp themida behavioral1/memory/1204-58-0x00000000009F0000-0x000000000172B000-memory.dmp themida behavioral1/memory/1204-63-0x00000000009F0000-0x000000000172B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe themida behavioral1/memory/596-69-0x0000000000F10000-0x0000000001C4B000-memory.dmp themida behavioral1/memory/596-70-0x0000000000F10000-0x0000000001C4B000-memory.dmp themida behavioral1/memory/596-77-0x0000000000F10000-0x0000000001C4B000-memory.dmp themida -
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exepid process 1204 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe 596 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2044 schtasks.exe 1128 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exepid process 1204 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe 596 oobeldr.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exetaskeng.exeoobeldr.exedescription pid process target process PID 1204 wrote to memory of 2044 1204 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe schtasks.exe PID 1204 wrote to memory of 2044 1204 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe schtasks.exe PID 1204 wrote to memory of 2044 1204 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe schtasks.exe PID 1204 wrote to memory of 2044 1204 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe schtasks.exe PID 1528 wrote to memory of 596 1528 taskeng.exe oobeldr.exe PID 1528 wrote to memory of 596 1528 taskeng.exe oobeldr.exe PID 1528 wrote to memory of 596 1528 taskeng.exe oobeldr.exe PID 1528 wrote to memory of 596 1528 taskeng.exe oobeldr.exe PID 1528 wrote to memory of 596 1528 taskeng.exe oobeldr.exe PID 1528 wrote to memory of 596 1528 taskeng.exe oobeldr.exe PID 1528 wrote to memory of 596 1528 taskeng.exe oobeldr.exe PID 596 wrote to memory of 1128 596 oobeldr.exe schtasks.exe PID 596 wrote to memory of 1128 596 oobeldr.exe schtasks.exe PID 596 wrote to memory of 1128 596 oobeldr.exe schtasks.exe PID 596 wrote to memory of 1128 596 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe"C:\Users\Admin\AppData\Local\Temp\dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {A2E7C844-B589-43EE-A420-D1CFC30B60C9} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
5.7MB
MD5104dd8e3bf957c6cf7da52c546405ab7
SHA12623754939b50204e06d94ae62eb6afc6587f69a
SHA256dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0
SHA512435f7b869769d3a1642c84f3b081c5e93e22c4fd96f7aa82c9d8201b539106bddc0b047348d92bc752a6d9afcd97bfe1e84eaa20a036d92593806de7adc99628
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
5.7MB
MD5104dd8e3bf957c6cf7da52c546405ab7
SHA12623754939b50204e06d94ae62eb6afc6587f69a
SHA256dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0
SHA512435f7b869769d3a1642c84f3b081c5e93e22c4fd96f7aa82c9d8201b539106bddc0b047348d92bc752a6d9afcd97bfe1e84eaa20a036d92593806de7adc99628
-
memory/596-66-0x0000000000000000-mapping.dmp
-
memory/596-78-0x00000000770A0000-0x0000000077220000-memory.dmpFilesize
1.5MB
-
memory/596-77-0x0000000000F10000-0x0000000001C4B000-memory.dmpFilesize
13.2MB
-
memory/596-76-0x00000000770A0000-0x0000000077220000-memory.dmpFilesize
1.5MB
-
memory/596-74-0x0000000000F11000-0x0000000000F13000-memory.dmpFilesize
8KB
-
memory/596-70-0x0000000000F10000-0x0000000001C4B000-memory.dmpFilesize
13.2MB
-
memory/596-69-0x0000000000F10000-0x0000000001C4B000-memory.dmpFilesize
13.2MB
-
memory/1128-75-0x0000000000000000-mapping.dmp
-
memory/1204-60-0x00000000009F1000-0x00000000009F3000-memory.dmpFilesize
8KB
-
memory/1204-64-0x00000000770A0000-0x0000000077220000-memory.dmpFilesize
1.5MB
-
memory/1204-63-0x00000000009F0000-0x000000000172B000-memory.dmpFilesize
13.2MB
-
memory/1204-62-0x00000000770A0000-0x0000000077220000-memory.dmpFilesize
1.5MB
-
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1204-59-0x00000000009F1000-0x00000000009F3000-memory.dmpFilesize
8KB
-
memory/1204-58-0x00000000009F0000-0x000000000172B000-memory.dmpFilesize
13.2MB
-
memory/1204-55-0x00000000009F0000-0x000000000172B000-memory.dmpFilesize
13.2MB
-
memory/2044-61-0x0000000000000000-mapping.dmp