Analysis

  • max time kernel
    123s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2022, 22:02

General

  • Target

    0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe

  • Size

    322KB

  • MD5

    98ee1b25e1f0ba9e9dd4dc1b75987389

  • SHA1

    ff59a4e158795201c5a56ca496a5ec05cfaecebe

  • SHA256

    0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb

  • SHA512

    673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95

  • SSDEEP

    6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
      C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
      2⤵
        PID:1400
      • C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
        C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
        2⤵
          PID:812
        • C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
          C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4752
          • C:\Windows\SysWOW64\schtasks.exe
            /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
            3⤵
            • Creates scheduled task(s)
            PID:1952
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4900
        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2364
          • C:\Windows\SysWOW64\schtasks.exe
            /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
            3⤵
            • Creates scheduled task(s)
            PID:1376
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
          2⤵
          • Executes dropped EXE
          PID:3392

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

              Filesize

              789B

              MD5

              03d2df1e8834bc4ec1756735429b458c

              SHA1

              4ee6c0f5b04c8e0c5076219c5724032daab11d40

              SHA256

              745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

              SHA512

              2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              322KB

              MD5

              98ee1b25e1f0ba9e9dd4dc1b75987389

              SHA1

              ff59a4e158795201c5a56ca496a5ec05cfaecebe

              SHA256

              0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb

              SHA512

              673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              322KB

              MD5

              98ee1b25e1f0ba9e9dd4dc1b75987389

              SHA1

              ff59a4e158795201c5a56ca496a5ec05cfaecebe

              SHA256

              0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb

              SHA512

              673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              322KB

              MD5

              98ee1b25e1f0ba9e9dd4dc1b75987389

              SHA1

              ff59a4e158795201c5a56ca496a5ec05cfaecebe

              SHA256

              0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb

              SHA512

              673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              322KB

              MD5

              98ee1b25e1f0ba9e9dd4dc1b75987389

              SHA1

              ff59a4e158795201c5a56ca496a5ec05cfaecebe

              SHA256

              0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb

              SHA512

              673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              322KB

              MD5

              98ee1b25e1f0ba9e9dd4dc1b75987389

              SHA1

              ff59a4e158795201c5a56ca496a5ec05cfaecebe

              SHA256

              0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb

              SHA512

              673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95

            • memory/4752-142-0x0000000000400000-0x0000000000406000-memory.dmp

              Filesize

              24KB

            • memory/4752-140-0x0000000000400000-0x0000000000406000-memory.dmp

              Filesize

              24KB

            • memory/4752-138-0x0000000000400000-0x0000000000406000-memory.dmp

              Filesize

              24KB

            • memory/5052-132-0x0000000000320000-0x0000000000376000-memory.dmp

              Filesize

              344KB

            • memory/5052-136-0x0000000004F40000-0x0000000004F5E000-memory.dmp

              Filesize

              120KB

            • memory/5052-135-0x00000000075F0000-0x0000000007666000-memory.dmp

              Filesize

              472KB

            • memory/5052-134-0x00000000072D0000-0x0000000007362000-memory.dmp

              Filesize

              584KB

            • memory/5052-133-0x00000000077E0000-0x0000000007D84000-memory.dmp

              Filesize

              5.6MB