811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

Analysis

max time kernel
115s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16/09/2022, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e738044641920d634a86955511cd9cea.exe
Size

1.2MB
MD5

e738044641920d634a86955511cd9cea
SHA1

f4d4ede94dd53f88127ecc32d8f0152055457853
SHA256

811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9
SHA512

f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd
SSDEEP

6144:9Oze8oG6jIB/CTAGax32fXRjddJYoQkNnW:szxoNIB/CwYfXNDJNnW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1580	oobeldr.exe
912	oobeldr.exe
1816	oobeldr.exe
428	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 1964	1644	e738044641920d634a86955511cd9cea.exe	28
PID 1580 set thread context of 912	1580	oobeldr.exe	33
PID 1816 set thread context of 428	1816	oobeldr.exe	37

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1772	schtasks.exe
900	schtasks.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1644	e738044641920d634a86955511cd9cea.exe
1580	oobeldr.exe
1816	oobeldr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1644	e738044641920d634a86955511cd9cea.exe
1580	oobeldr.exe
1816	oobeldr.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1964	1644	e738044641920d634a86955511cd9cea.exe	28
PID 1644 wrote to memory of 1964	1644	e738044641920d634a86955511cd9cea.exe	28
PID 1644 wrote to memory of 1964	1644	e738044641920d634a86955511cd9cea.exe	28
PID 1644 wrote to memory of 1964	1644	e738044641920d634a86955511cd9cea.exe	28
PID 1644 wrote to memory of 1964	1644	e738044641920d634a86955511cd9cea.exe	28
PID 1964 wrote to memory of 1772	1964	e738044641920d634a86955511cd9cea.exe	29
PID 1964 wrote to memory of 1772	1964	e738044641920d634a86955511cd9cea.exe	29
PID 1964 wrote to memory of 1772	1964	e738044641920d634a86955511cd9cea.exe	29
PID 1964 wrote to memory of 1772	1964	e738044641920d634a86955511cd9cea.exe	29
PID 1664 wrote to memory of 1580	1664	taskeng.exe	32
PID 1664 wrote to memory of 1580	1664	taskeng.exe	32
PID 1664 wrote to memory of 1580	1664	taskeng.exe	32
PID 1664 wrote to memory of 1580	1664	taskeng.exe	32
PID 1580 wrote to memory of 912	1580	oobeldr.exe	33
PID 1580 wrote to memory of 912	1580	oobeldr.exe	33
PID 1580 wrote to memory of 912	1580	oobeldr.exe	33
PID 1580 wrote to memory of 912	1580	oobeldr.exe	33
PID 1580 wrote to memory of 912	1580	oobeldr.exe	33
PID 912 wrote to memory of 900	912	oobeldr.exe	34
PID 912 wrote to memory of 900	912	oobeldr.exe	34
PID 912 wrote to memory of 900	912	oobeldr.exe	34
PID 912 wrote to memory of 900	912	oobeldr.exe	34
PID 1664 wrote to memory of 1816	1664	taskeng.exe	36
PID 1664 wrote to memory of 1816	1664	taskeng.exe	36
PID 1664 wrote to memory of 1816	1664	taskeng.exe	36
PID 1664 wrote to memory of 1816	1664	taskeng.exe	36
PID 1816 wrote to memory of 428	1816	oobeldr.exe	37
PID 1816 wrote to memory of 428	1816	oobeldr.exe	37
PID 1816 wrote to memory of 428	1816	oobeldr.exe	37
PID 1816 wrote to memory of 428	1816	oobeldr.exe	37
PID 1816 wrote to memory of 428	1816	oobeldr.exe	37

C:\Users\Admin\AppData\Local\Temp\e738044641920d634a86955511cd9cea.exe
"C:\Users\Admin\AppData\Local\Temp\e738044641920d634a86955511cd9cea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\e738044641920d634a86955511cd9cea.exe
  "C:\Users\Admin\AppData\Local\Temp\e738044641920d634a86955511cd9cea.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1772

C:\Windows\system32\taskeng.exe
taskeng.exe {20D052C2-1D77-4CFE-BF7E-8A357BE8390B} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:900
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Executes dropped EXE
    PID:428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.2MB

MD5
e738044641920d634a86955511cd9cea

SHA1
f4d4ede94dd53f88127ecc32d8f0152055457853

SHA256
811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

SHA512
f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.2MB

MD5
e738044641920d634a86955511cd9cea

SHA1
f4d4ede94dd53f88127ecc32d8f0152055457853

SHA256
811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

SHA512
f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.2MB

MD5
e738044641920d634a86955511cd9cea

SHA1
f4d4ede94dd53f88127ecc32d8f0152055457853

SHA256
811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

SHA512
f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.2MB

MD5
e738044641920d634a86955511cd9cea

SHA1
f4d4ede94dd53f88127ecc32d8f0152055457853

SHA256
811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

SHA512
f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.2MB

MD5
e738044641920d634a86955511cd9cea

SHA1
f4d4ede94dd53f88127ecc32d8f0152055457853

SHA256
811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

SHA512
f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd

Download Submit
memory/1644-56-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1644-58-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1964-61-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads