Analysis
-
max time kernel
63s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 08:46
Behavioral task
behavioral1
Sample
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
Resource
win7-20220901-en
General
-
Target
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe
-
Size
5.7MB
-
MD5
104dd8e3bf957c6cf7da52c546405ab7
-
SHA1
2623754939b50204e06d94ae62eb6afc6587f69a
-
SHA256
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0
-
SHA512
435f7b869769d3a1642c84f3b081c5e93e22c4fd96f7aa82c9d8201b539106bddc0b047348d92bc752a6d9afcd97bfe1e84eaa20a036d92593806de7adc99628
-
SSDEEP
98304:NEp+KwDQdGp//3wHhGizimMxJlqyIZybWHOpjecBF7yx2h5UO1VQxznJZ531:NEp+fDQdGp3wBGgovqZfHOxtBB62DI
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oobeldr.exe -
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 3184 oobeldr.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
oobeldr.exedd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oobeldr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe -
Processes:
resource yara_rule behavioral2/memory/2404-132-0x0000000000050000-0x0000000000D8B000-memory.dmp themida behavioral2/memory/2404-133-0x0000000000050000-0x0000000000D8B000-memory.dmp themida behavioral2/memory/2404-140-0x0000000000050000-0x0000000000D8B000-memory.dmp themida C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe themida behavioral2/memory/3184-144-0x0000000000D10000-0x0000000001A4B000-memory.dmp themida behavioral2/memory/3184-145-0x0000000000D10000-0x0000000001A4B000-memory.dmp themida behavioral2/memory/3184-152-0x0000000000D10000-0x0000000001A4B000-memory.dmp themida -
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oobeldr.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exepid process 2404 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe 3184 oobeldr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exepid process 2404 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe 2404 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe 3184 oobeldr.exe 3184 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exeoobeldr.exedescription pid process target process PID 2404 wrote to memory of 5060 2404 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe schtasks.exe PID 2404 wrote to memory of 5060 2404 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe schtasks.exe PID 2404 wrote to memory of 5060 2404 dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe schtasks.exe PID 3184 wrote to memory of 212 3184 oobeldr.exe schtasks.exe PID 3184 wrote to memory of 212 3184 oobeldr.exe schtasks.exe PID 3184 wrote to memory of 212 3184 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe"C:\Users\Admin\AppData\Local\Temp\dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
5.7MB
MD5104dd8e3bf957c6cf7da52c546405ab7
SHA12623754939b50204e06d94ae62eb6afc6587f69a
SHA256dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0
SHA512435f7b869769d3a1642c84f3b081c5e93e22c4fd96f7aa82c9d8201b539106bddc0b047348d92bc752a6d9afcd97bfe1e84eaa20a036d92593806de7adc99628
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
5.7MB
MD5104dd8e3bf957c6cf7da52c546405ab7
SHA12623754939b50204e06d94ae62eb6afc6587f69a
SHA256dd6ab934b4c23d80a7a699d9ef55498d56115c86df0fa9ff73cfc1651c1b07c0
SHA512435f7b869769d3a1642c84f3b081c5e93e22c4fd96f7aa82c9d8201b539106bddc0b047348d92bc752a6d9afcd97bfe1e84eaa20a036d92593806de7adc99628
-
memory/212-150-0x0000000000000000-mapping.dmp
-
memory/2404-132-0x0000000000050000-0x0000000000D8B000-memory.dmpFilesize
13.2MB
-
memory/2404-133-0x0000000000050000-0x0000000000D8B000-memory.dmpFilesize
13.2MB
-
memory/2404-136-0x0000000000051000-0x0000000000053000-memory.dmpFilesize
8KB
-
memory/2404-137-0x0000000000051000-0x0000000000053000-memory.dmpFilesize
8KB
-
memory/2404-139-0x0000000077E40000-0x0000000077FE3000-memory.dmpFilesize
1.6MB
-
memory/2404-140-0x0000000000050000-0x0000000000D8B000-memory.dmpFilesize
13.2MB
-
memory/2404-141-0x0000000077E40000-0x0000000077FE3000-memory.dmpFilesize
1.6MB
-
memory/3184-149-0x0000000000D11000-0x0000000000D13000-memory.dmpFilesize
8KB
-
memory/3184-145-0x0000000000D10000-0x0000000001A4B000-memory.dmpFilesize
13.2MB
-
memory/3184-144-0x0000000000D10000-0x0000000001A4B000-memory.dmpFilesize
13.2MB
-
memory/3184-151-0x0000000077E40000-0x0000000077FE3000-memory.dmpFilesize
1.6MB
-
memory/3184-152-0x0000000000D10000-0x0000000001A4B000-memory.dmpFilesize
13.2MB
-
memory/5060-138-0x0000000000000000-mapping.dmp