be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

Analysis

max time kernel
273s
max time network
275s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
21-09-2022 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
Size

171KB
MD5

2dce3da05acacdf790a0e200206fc921
SHA1

8adc6bc3612ce098a230681655cc4a8eaa0338d4
SHA256

be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d
SHA512

762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a
SSDEEP

1536:GVS32qHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHU//rT//j:LVMMMZMMMMMMMMMMMMz

Score

8^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

oobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exe

pid	process
4712	oobeldr.exe
2116	oobeldr.exe
1144	oobeldr.exe
4504	oobeldr.exe
1320	oobeldr.exe
5036	oobeldr.exe
3632	oobeldr.exe
1148	oobeldr.exe
4392	oobeldr.exe
508	oobeldr.exe

Obfuscated with Agile.Net obfuscator 12 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3836-151-0x0000000000DF0000-0x0000000000E20000-memory.dmp	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	agile_net

Suspicious use of SetThreadContext 5 IoCs

Processes:

be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exe

description	pid	process	target process
PID 3836 set thread context of 4524	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 4712 set thread context of 2116	4712	oobeldr.exe	oobeldr.exe
PID 1144 set thread context of 4504	1144	oobeldr.exe	oobeldr.exe
PID 1320 set thread context of 1148	1320	oobeldr.exe	oobeldr.exe
PID 4392 set thread context of 508	4392	oobeldr.exe	oobeldr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5084 schtasks.exe
4828 schtasks.exe

pid	process
5084	schtasks.exe
4828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

powershell.exebe39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exepowershell.exeoobeldr.exepowershell.exeoobeldr.exepowershell.exeoobeldr.exepowershell.exeoobeldr.exe

pid	process
3624	powershell.exe
3624	powershell.exe
3624	powershell.exe
3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
3328	powershell.exe
3328	powershell.exe
3328	powershell.exe
4712	oobeldr.exe
4712	oobeldr.exe
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe
1144	oobeldr.exe
1144	oobeldr.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
1320	oobeldr.exe
1320	oobeldr.exe
1320	oobeldr.exe
1320	oobeldr.exe
1320	oobeldr.exe
1320	oobeldr.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4392	oobeldr.exe
4392	oobeldr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exepowershell.exeoobeldr.exepowershell.exeoobeldr.exepowershell.exeoobeldr.exepowershell.exeoobeldr.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	4712	oobeldr.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	1144	oobeldr.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	1320	oobeldr.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	4392	oobeldr.exe
Token: SeDebugPrivilege	4944	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exebe39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exeoobeldr.exeoobeldr.exeoobeldr.exeoobeldr.exe

description	pid	process	target process
PID 3836 wrote to memory of 3624	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	powershell.exe
PID 3836 wrote to memory of 3624	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	powershell.exe
PID 3836 wrote to memory of 3624	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	powershell.exe
PID 3836 wrote to memory of 4000	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4000	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4000	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 3920	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 3920	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 3920	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4540	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4540	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4540	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4524	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4524	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4524	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4524	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4524	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4524	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4524	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 3836 wrote to memory of 4524	3836	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
PID 4524 wrote to memory of 5084	4524	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	schtasks.exe
PID 4524 wrote to memory of 5084	4524	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	schtasks.exe
PID 4524 wrote to memory of 5084	4524	be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe	schtasks.exe
PID 4712 wrote to memory of 3328	4712	oobeldr.exe	powershell.exe
PID 4712 wrote to memory of 3328	4712	oobeldr.exe	powershell.exe
PID 4712 wrote to memory of 3328	4712	oobeldr.exe	powershell.exe
PID 4712 wrote to memory of 2116	4712	oobeldr.exe	oobeldr.exe
PID 4712 wrote to memory of 2116	4712	oobeldr.exe	oobeldr.exe
PID 4712 wrote to memory of 2116	4712	oobeldr.exe	oobeldr.exe
PID 4712 wrote to memory of 2116	4712	oobeldr.exe	oobeldr.exe
PID 4712 wrote to memory of 2116	4712	oobeldr.exe	oobeldr.exe
PID 4712 wrote to memory of 2116	4712	oobeldr.exe	oobeldr.exe
PID 4712 wrote to memory of 2116	4712	oobeldr.exe	oobeldr.exe
PID 4712 wrote to memory of 2116	4712	oobeldr.exe	oobeldr.exe
PID 2116 wrote to memory of 4828	2116	oobeldr.exe	schtasks.exe
PID 2116 wrote to memory of 4828	2116	oobeldr.exe	schtasks.exe
PID 2116 wrote to memory of 4828	2116	oobeldr.exe	schtasks.exe
PID 1144 wrote to memory of 3896	1144	oobeldr.exe	powershell.exe
PID 1144 wrote to memory of 3896	1144	oobeldr.exe	powershell.exe
PID 1144 wrote to memory of 3896	1144	oobeldr.exe	powershell.exe
PID 1144 wrote to memory of 4504	1144	oobeldr.exe	oobeldr.exe
PID 1144 wrote to memory of 4504	1144	oobeldr.exe	oobeldr.exe
PID 1144 wrote to memory of 4504	1144	oobeldr.exe	oobeldr.exe
PID 1144 wrote to memory of 4504	1144	oobeldr.exe	oobeldr.exe
PID 1144 wrote to memory of 4504	1144	oobeldr.exe	oobeldr.exe
PID 1144 wrote to memory of 4504	1144	oobeldr.exe	oobeldr.exe
PID 1144 wrote to memory of 4504	1144	oobeldr.exe	oobeldr.exe
PID 1144 wrote to memory of 4504	1144	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 3852	1320	oobeldr.exe	powershell.exe
PID 1320 wrote to memory of 3852	1320	oobeldr.exe	powershell.exe
PID 1320 wrote to memory of 3852	1320	oobeldr.exe	powershell.exe
PID 1320 wrote to memory of 5036	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 5036	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 5036	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 3632	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 3632	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 3632	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 1148	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 1148	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 1148	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 1148	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 1148	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 1148	1320	oobeldr.exe	oobeldr.exe
PID 1320 wrote to memory of 1148	1320	oobeldr.exe	oobeldr.exe

C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
"C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
2⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
3⤵
- Creates scheduled task(s)
PID:5084

C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
2⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
C:\Users\Admin\AppData\Local\Temp\be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d.exe
2⤵
PID:3920

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
3⤵
- Creates scheduled task(s)
PID:4828

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Executes dropped EXE
PID:5036

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Executes dropped EXE
PID:3632

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Executes dropped EXE
PID:1148

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
2⤵
- Executes dropped EXE
PID:508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log
Filesize
1KB

MD5
94783fcf58c98f5ea0b416f441ad15eb

SHA1
979a7c39c6a5dbed314bc41a22c4ccdca6db206b

SHA256
117df0a0e80abf166ef148863dd82ba9e75c05b38ed3979d048f5fcc848ef905

SHA512
9301306461cb978e91761b24b1d04339c2bff71771431987cd8dc373387c12feb81dbdbf272da1f7c045eade4ffff1976885ca705ca7cf9a40a6c4a7553aa06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
9cf121b65e6a4780faa3ab174287aa65

SHA1
20d8743c996fdf21586bb062350ed6281b0d7c8a

SHA256
0652c14963a4c859d1e5c480d1d6293feccc787d32df83e1c6d76eec343bc82a

SHA512
9e78b4eea1f1ea7514b7dd66688f9850ba4ca3a53129c490a5719fd14bcae45a24f130089e519d11392c27c2cceec62ba8b869d1e6fb5ba03f4095f0a0fd0ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
6e977ffdfa65dcdc5740774159e29050

SHA1
3be81cae9db027b03dd5496feb76a881d4b3989f

SHA256
438d88f492ac8bcbcb173243d89f4bc30b7d498be14c41ac70cab587d33a3ee4

SHA512
562ead238b6d06be0d52210bf0615d698474b6ea2ebd518dc9367ca1865d61b5360b7447ff3508e30ec755083f910b81e5ceaf839ed73e73311dca79eba127e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
107b7529fb3144099ea100ef585d7637

SHA1
090d3cce6204336766196289143bca797a5b51f3

SHA256
349d18507f3d966686f4ed12d1b814a8ee01fe6f7f37313e8ce593b0c88fce06

SHA512
bd1fb73c7c07ecb6e8be7a0db8398d9097b5a47831b7170d371f9a5de5396f3bdc781a400cd52aa1527e35ead15a11297006ccac5b90e2a51f7ac770bc3ae5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
8d5b36d68ecbab6e368fa4ab6594ff2c

SHA1
c8dabc9e02426d259d6edfa6526d09c503daa841

SHA256
dc685e9befe0c1623d1f0a8d432747554e94f05a04ea777600e3d27e2800572b

SHA512
62d2f2f6681e500986a78a2848aaa3498d0207dca67586fa952000dd59bea80b76df9bf7374c62318fad9917d44a0da50541f7a7cc523cb0bdea91acc8f712ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
171KB

MD5
2dce3da05acacdf790a0e200206fc921

SHA1
8adc6bc3612ce098a230681655cc4a8eaa0338d4

SHA256
be39930e3c2ce1f2feb23d382557b3d69d92630909ca0b54cab6b48247521f7d

SHA512
762bf52c8ba86d7e4d6ca5aafaa94fefbe4ed23eb07e01e30620c52e00cc9a7d94b36042b4098ddd0c2bb01b84553d2a0d365e2db1fab6a0d1ad7344d38d9c7a

Download Submit
memory/508-1126-0x0000000000402354-mapping.dmp

Download
memory/1144-634-0x0000000008780000-0x0000000008AD0000-memory.dmp

Filesize
3.3MB

Download
memory/1148-929-0x0000000000402354-mapping.dmp

Download
memory/2116-511-0x0000000000402354-mapping.dmp

Download
memory/3328-427-0x0000000000000000-mapping.dmp

Download
memory/3624-202-0x0000000000000000-mapping.dmp

Download
memory/3624-282-0x0000000009DB0000-0x000000000A428000-memory.dmp

Filesize
6.5MB

Download
memory/3624-283-0x00000000094C0000-0x00000000094DA000-memory.dmp

Filesize
104KB

Download
memory/3624-271-0x0000000008760000-0x00000000087D6000-memory.dmp

Filesize
472KB

Download
memory/3624-267-0x0000000008690000-0x00000000086DB000-memory.dmp

Filesize
300KB

Download
memory/3624-266-0x0000000007DE0000-0x0000000007DFC000-memory.dmp

Filesize
112KB

Download
memory/3624-263-0x0000000007E60000-0x0000000007EC6000-memory.dmp

Filesize
408KB

Download
memory/3624-261-0x0000000007C80000-0x0000000007CE6000-memory.dmp

Filesize
408KB

Download
memory/3624-243-0x00000000075E0000-0x0000000007C08000-memory.dmp

Filesize
6.2MB

Download
memory/3624-238-0x0000000006F70000-0x0000000006FA6000-memory.dmp

Filesize
216KB

Download
memory/3836-172-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-148-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-150-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-154-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-156-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-155-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-157-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-158-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-159-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-161-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-163-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-162-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-164-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-160-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-165-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-166-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-168-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-167-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-169-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-170-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-171-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-118-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-173-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-174-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-175-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-176-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-178-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-179-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-177-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-180-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-181-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-182-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-186-0x00000000090D0000-0x000000000917A000-memory.dmp

Filesize
680KB

Download
memory/3836-187-0x0000000009200000-0x0000000009292000-memory.dmp

Filesize
584KB

Download
memory/3836-188-0x00000000092E0000-0x0000000009302000-memory.dmp

Filesize
136KB

Download
memory/3836-190-0x0000000009310000-0x0000000009660000-memory.dmp

Filesize
3.3MB

Download
memory/3836-153-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-152-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-149-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-151-0x0000000000DF0000-0x0000000000E20000-memory.dmp

Filesize
192KB

Download
memory/3836-147-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-146-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-145-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-144-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-143-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-142-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-119-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-120-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-121-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-141-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-140-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-139-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-137-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-138-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-136-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-135-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-134-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-122-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-133-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-132-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-131-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-123-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-130-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-124-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-125-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-129-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-128-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-126-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3836-127-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3852-844-0x0000000000000000-mapping.dmp

Download
memory/3896-709-0x0000000008A80000-0x0000000008ACB000-memory.dmp

Filesize
300KB

Download
memory/3896-646-0x0000000000000000-mapping.dmp

Download
memory/4504-730-0x0000000000402354-mapping.dmp

Download
memory/4524-342-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4524-290-0x0000000000402354-mapping.dmp

Download
memory/4828-545-0x0000000000000000-mapping.dmp

Download
memory/4944-1043-0x0000000000000000-mapping.dmp

Download
memory/5084-324-0x0000000000000000-mapping.dmp

Download