Analysis Overview
SHA256
0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb
Threat Level: Likely malicious
The file 0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb was found to be: Likely malicious.
Malicious Activity Summary
Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:02
Reported
2022-10-31 22:04
Platform
win10v2004-20220812-en
Max time kernel
123s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5052 set thread context of 4752 | N/A | C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe | C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe |
| PID 4900 set thread context of 2364 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
| PID 748 set thread context of 3392 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
"C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe"
C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
C:\Users\Admin\AppData\Local\Temp\0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| BE | 67.24.27.254:80 | tcp | |
| BE | 67.24.27.254:80 | tcp | |
| BE | 67.24.27.254:80 | tcp | |
| US | 52.109.12.20:443 | tcp | |
| NL | 20.224.151.203:443 | tcp |
Files
memory/5052-132-0x0000000000320000-0x0000000000376000-memory.dmp
memory/5052-133-0x00000000077E0000-0x0000000007D84000-memory.dmp
memory/5052-134-0x00000000072D0000-0x0000000007362000-memory.dmp
memory/5052-135-0x00000000075F0000-0x0000000007666000-memory.dmp
memory/5052-136-0x0000000004F40000-0x0000000004F5E000-memory.dmp
memory/4752-137-0x0000000000000000-mapping.dmp
memory/4752-138-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4752-140-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1952-141-0x0000000000000000-mapping.dmp
memory/4752-142-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 98ee1b25e1f0ba9e9dd4dc1b75987389 |
| SHA1 | ff59a4e158795201c5a56ca496a5ec05cfaecebe |
| SHA256 | 0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb |
| SHA512 | 673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 98ee1b25e1f0ba9e9dd4dc1b75987389 |
| SHA1 | ff59a4e158795201c5a56ca496a5ec05cfaecebe |
| SHA256 | 0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb |
| SHA512 | 673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95 |
memory/2364-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 98ee1b25e1f0ba9e9dd4dc1b75987389 |
| SHA1 | ff59a4e158795201c5a56ca496a5ec05cfaecebe |
| SHA256 | 0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb |
| SHA512 | 673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95 |
memory/1376-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 98ee1b25e1f0ba9e9dd4dc1b75987389 |
| SHA1 | ff59a4e158795201c5a56ca496a5ec05cfaecebe |
| SHA256 | 0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb |
| SHA512 | 673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log
| MD5 | 03d2df1e8834bc4ec1756735429b458c |
| SHA1 | 4ee6c0f5b04c8e0c5076219c5724032daab11d40 |
| SHA256 | 745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631 |
| SHA512 | 2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b |
memory/3392-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 98ee1b25e1f0ba9e9dd4dc1b75987389 |
| SHA1 | ff59a4e158795201c5a56ca496a5ec05cfaecebe |
| SHA256 | 0bff8dd2dd1db9779f79fffe1e60079d62c81691346c499748737a527fe02bbb |
| SHA512 | 673b1183dd329f0110369299a1f424337a161f66c9c87ae07524629fa2702e6d925e074c8a26e23d81fbc842f104257188ab0a735c8f9758ea40155fb29b0d95 |