bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

Analysis

max time kernel
135s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2022 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe
Size

322KB
MD5

ba1c2f5f5efdbd8de98a8b6bcac4741f
SHA1

b920891cd38337424effad4625b7d4c4b4b2e39a
SHA256

bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7
SHA512

1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2948	oobeldr.exe
548	oobeldr.exe
1484	oobeldr.exe
4592	oobeldr.exe
4356	oobeldr.exe
2304	oobeldr.exe
4116	oobeldr.exe
1792	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 2948 set thread context of 4592	2948	oobeldr.exe	90
PID 4356 set thread context of 2304	4356	oobeldr.exe	98
PID 4116 set thread context of 1792	4116	oobeldr.exe	100

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4984	schtasks.exe
212	schtasks.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 3116 wrote to memory of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 3116 wrote to memory of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 3116 wrote to memory of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 3116 wrote to memory of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 3116 wrote to memory of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 3116 wrote to memory of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 3116 wrote to memory of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 3116 wrote to memory of 2316	3116	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	80
PID 2316 wrote to memory of 4984	2316	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	81
PID 2316 wrote to memory of 4984	2316	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	81
PID 2316 wrote to memory of 4984	2316	bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe	81
PID 2948 wrote to memory of 548	2948	oobeldr.exe	84
PID 2948 wrote to memory of 548	2948	oobeldr.exe	84
PID 2948 wrote to memory of 548	2948	oobeldr.exe	84
PID 2948 wrote to memory of 1484	2948	oobeldr.exe	85
PID 2948 wrote to memory of 1484	2948	oobeldr.exe	85
PID 2948 wrote to memory of 1484	2948	oobeldr.exe	85
PID 2948 wrote to memory of 4592	2948	oobeldr.exe	90
PID 2948 wrote to memory of 4592	2948	oobeldr.exe	90
PID 2948 wrote to memory of 4592	2948	oobeldr.exe	90
PID 2948 wrote to memory of 4592	2948	oobeldr.exe	90
PID 2948 wrote to memory of 4592	2948	oobeldr.exe	90
PID 2948 wrote to memory of 4592	2948	oobeldr.exe	90
PID 2948 wrote to memory of 4592	2948	oobeldr.exe	90
PID 2948 wrote to memory of 4592	2948	oobeldr.exe	90
PID 2948 wrote to memory of 4592	2948	oobeldr.exe	90
PID 4592 wrote to memory of 212	4592	oobeldr.exe	92
PID 4592 wrote to memory of 212	4592	oobeldr.exe	92
PID 4592 wrote to memory of 212	4592	oobeldr.exe	92
PID 4356 wrote to memory of 2304	4356	oobeldr.exe	98
PID 4356 wrote to memory of 2304	4356	oobeldr.exe	98
PID 4356 wrote to memory of 2304	4356	oobeldr.exe	98
PID 4356 wrote to memory of 2304	4356	oobeldr.exe	98
PID 4356 wrote to memory of 2304	4356	oobeldr.exe	98
PID 4356 wrote to memory of 2304	4356	oobeldr.exe	98
PID 4356 wrote to memory of 2304	4356	oobeldr.exe	98
PID 4356 wrote to memory of 2304	4356	oobeldr.exe	98
PID 4356 wrote to memory of 2304	4356	oobeldr.exe	98
PID 4116 wrote to memory of 1792	4116	oobeldr.exe	100
PID 4116 wrote to memory of 1792	4116	oobeldr.exe	100
PID 4116 wrote to memory of 1792	4116	oobeldr.exe	100
PID 4116 wrote to memory of 1792	4116	oobeldr.exe	100
PID 4116 wrote to memory of 1792	4116	oobeldr.exe	100
PID 4116 wrote to memory of 1792	4116	oobeldr.exe	100
PID 4116 wrote to memory of 1792	4116	oobeldr.exe	100
PID 4116 wrote to memory of 1792	4116	oobeldr.exe	100
PID 4116 wrote to memory of 1792	4116	oobeldr.exe	100

C:\Users\Admin\AppData\Local\Temp\bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe
"C:\Users\Admin\AppData\Local\Temp\bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe
  C:\Users\Admin\AppData\Local\Temp\bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4984

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:212

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2304

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
ba1c2f5f5efdbd8de98a8b6bcac4741f

SHA1
b920891cd38337424effad4625b7d4c4b4b2e39a

SHA256
bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

SHA512
1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
ba1c2f5f5efdbd8de98a8b6bcac4741f

SHA1
b920891cd38337424effad4625b7d4c4b4b2e39a

SHA256
bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

SHA512
1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
ba1c2f5f5efdbd8de98a8b6bcac4741f

SHA1
b920891cd38337424effad4625b7d4c4b4b2e39a

SHA256
bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

SHA512
1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
ba1c2f5f5efdbd8de98a8b6bcac4741f

SHA1
b920891cd38337424effad4625b7d4c4b4b2e39a

SHA256
bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

SHA512
1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
ba1c2f5f5efdbd8de98a8b6bcac4741f

SHA1
b920891cd38337424effad4625b7d4c4b4b2e39a

SHA256
bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

SHA512
1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
ba1c2f5f5efdbd8de98a8b6bcac4741f

SHA1
b920891cd38337424effad4625b7d4c4b4b2e39a

SHA256
bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

SHA512
1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
ba1c2f5f5efdbd8de98a8b6bcac4741f

SHA1
b920891cd38337424effad4625b7d4c4b4b2e39a

SHA256
bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

SHA512
1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
ba1c2f5f5efdbd8de98a8b6bcac4741f

SHA1
b920891cd38337424effad4625b7d4c4b4b2e39a

SHA256
bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

SHA512
1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
ba1c2f5f5efdbd8de98a8b6bcac4741f

SHA1
b920891cd38337424effad4625b7d4c4b4b2e39a

SHA256
bf8768d733e30c21fd2727e833a6d092703fd60f62c64cdb37ed91c2456679a7

SHA512
1b0eb0733935b2cc7c986c32160349e01e47b24d2a37bded8b1ae04048e928c1acbe12faef799bad3f6d3f9c3285f646f98dbb1c68a554232269d4d8a2fb3cc3

Download Submit
memory/2316-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2316-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2316-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3116-132-0x0000000000300000-0x0000000000356000-memory.dmp

Filesize
344KB

Download
memory/3116-134-0x00000000071B0000-0x0000000007242000-memory.dmp

Filesize
584KB

Download
memory/3116-135-0x0000000007450000-0x00000000074C6000-memory.dmp

Filesize
472KB

Download
memory/3116-133-0x00000000076C0000-0x0000000007C64000-memory.dmp

Filesize
5.6MB

Download
memory/3116-136-0x0000000007150000-0x000000000716E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads