811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

General

Target

e738044641920d634a86955511cd9cea.exe
Size

1.2MB
MD5

e738044641920d634a86955511cd9cea
SHA1

f4d4ede94dd53f88127ecc32d8f0152055457853
SHA256

811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9
SHA512

f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd
SSDEEP

6144:9Oze8oG6jIB/CTAGax32fXRjddJYoQkNnW:szxoNIB/CwYfXNDJNnW

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4788	oobeldr.exe
916	oobeldr.exe
524	oobeldr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 3476	1800	e738044641920d634a86955511cd9cea.exe	84
PID 4788 set thread context of 916	4788	oobeldr.exe	89

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4312	schtasks.exe
800	schtasks.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1800	e738044641920d634a86955511cd9cea.exe
4788	oobeldr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1800	e738044641920d634a86955511cd9cea.exe
4788	oobeldr.exe
524	oobeldr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3476	1800	e738044641920d634a86955511cd9cea.exe	84
PID 1800 wrote to memory of 3476	1800	e738044641920d634a86955511cd9cea.exe	84
PID 1800 wrote to memory of 3476	1800	e738044641920d634a86955511cd9cea.exe	84
PID 1800 wrote to memory of 3476	1800	e738044641920d634a86955511cd9cea.exe	84
PID 3476 wrote to memory of 4312	3476	e738044641920d634a86955511cd9cea.exe	85
PID 3476 wrote to memory of 4312	3476	e738044641920d634a86955511cd9cea.exe	85
PID 3476 wrote to memory of 4312	3476	e738044641920d634a86955511cd9cea.exe	85
PID 4788 wrote to memory of 916	4788	oobeldr.exe	89
PID 4788 wrote to memory of 916	4788	oobeldr.exe	89
PID 4788 wrote to memory of 916	4788	oobeldr.exe	89
PID 4788 wrote to memory of 916	4788	oobeldr.exe	89
PID 916 wrote to memory of 800	916	oobeldr.exe	90
PID 916 wrote to memory of 800	916	oobeldr.exe	90
PID 916 wrote to memory of 800	916	oobeldr.exe	90

C:\Users\Admin\AppData\Local\Temp\e738044641920d634a86955511cd9cea.exe
"C:\Users\Admin\AppData\Local\Temp\e738044641920d634a86955511cd9cea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\e738044641920d634a86955511cd9cea.exe
  "C:\Users\Admin\AppData\Local\Temp\e738044641920d634a86955511cd9cea.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4312

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:800

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.2MB

MD5
e738044641920d634a86955511cd9cea

SHA1
f4d4ede94dd53f88127ecc32d8f0152055457853

SHA256
811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

SHA512
f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.2MB

MD5
e738044641920d634a86955511cd9cea

SHA1
f4d4ede94dd53f88127ecc32d8f0152055457853

SHA256
811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

SHA512
f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.2MB

MD5
e738044641920d634a86955511cd9cea

SHA1
f4d4ede94dd53f88127ecc32d8f0152055457853

SHA256
811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

SHA512
f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1.2MB

MD5
e738044641920d634a86955511cd9cea

SHA1
f4d4ede94dd53f88127ecc32d8f0152055457853

SHA256
811175647d86a02c077ef4d92cd468ba080c02948de347c38da71ef212ceaec9

SHA512
f52f22ba5676bf51dbba1f5759124ff7c74f95c032bb435908289742ba5d63ff7907acb0e3981928e664a96234972e68714f044e1f5bf638aae377130c3186cd

Download Submit
memory/1800-135-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/3476-137-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads