Analysis
-
max time kernel
101s -
max time network
64s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
31/10/2022, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe
Resource
win10-20220901-en
General
-
Target
533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe
-
Size
322KB
-
MD5
0d3499a0e3344d4d5e68c7d73e95fb69
-
SHA1
266663ca2370a8890a01f4d91a941d7752c2a957
-
SHA256
533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31
-
SHA512
2e6ca5fa8cdde66645b10f47ab05e63fc30ca69d15fa79629743ef342e5e4b816dbc18c0eded59707f991462239ea32527333a56771bbb7cad08a38edf951a7e
-
SSDEEP
6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 4264 oobeldr.exe 4180 oobeldr.exe 4076 oobeldr.exe 4528 oobeldr.exe 4228 oobeldr.exe 4888 oobeldr.exe 1464 oobeldr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3504 set thread context of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 4264 set thread context of 4228 4264 oobeldr.exe 75 PID 4888 set thread context of 1464 4888 oobeldr.exe 79 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 784 schtasks.exe 4728 schtasks.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3504 wrote to memory of 2204 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 66 PID 3504 wrote to memory of 2204 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 66 PID 3504 wrote to memory of 2204 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 66 PID 3504 wrote to memory of 2388 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 67 PID 3504 wrote to memory of 2388 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 67 PID 3504 wrote to memory of 2388 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 67 PID 3504 wrote to memory of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 3504 wrote to memory of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 3504 wrote to memory of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 3504 wrote to memory of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 3504 wrote to memory of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 3504 wrote to memory of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 3504 wrote to memory of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 3504 wrote to memory of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 3504 wrote to memory of 2904 3504 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 68 PID 2904 wrote to memory of 784 2904 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 69 PID 2904 wrote to memory of 784 2904 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 69 PID 2904 wrote to memory of 784 2904 533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe 69 PID 4264 wrote to memory of 4180 4264 oobeldr.exe 72 PID 4264 wrote to memory of 4180 4264 oobeldr.exe 72 PID 4264 wrote to memory of 4180 4264 oobeldr.exe 72 PID 4264 wrote to memory of 4076 4264 oobeldr.exe 73 PID 4264 wrote to memory of 4076 4264 oobeldr.exe 73 PID 4264 wrote to memory of 4076 4264 oobeldr.exe 73 PID 4264 wrote to memory of 4528 4264 oobeldr.exe 74 PID 4264 wrote to memory of 4528 4264 oobeldr.exe 74 PID 4264 wrote to memory of 4528 4264 oobeldr.exe 74 PID 4264 wrote to memory of 4228 4264 oobeldr.exe 75 PID 4264 wrote to memory of 4228 4264 oobeldr.exe 75 PID 4264 wrote to memory of 4228 4264 oobeldr.exe 75 PID 4264 wrote to memory of 4228 4264 oobeldr.exe 75 PID 4264 wrote to memory of 4228 4264 oobeldr.exe 75 PID 4264 wrote to memory of 4228 4264 oobeldr.exe 75 PID 4264 wrote to memory of 4228 4264 oobeldr.exe 75 PID 4264 wrote to memory of 4228 4264 oobeldr.exe 75 PID 4264 wrote to memory of 4228 4264 oobeldr.exe 75 PID 4228 wrote to memory of 4728 4228 oobeldr.exe 76 PID 4228 wrote to memory of 4728 4228 oobeldr.exe 76 PID 4228 wrote to memory of 4728 4228 oobeldr.exe 76 PID 4888 wrote to memory of 1464 4888 oobeldr.exe 79 PID 4888 wrote to memory of 1464 4888 oobeldr.exe 79 PID 4888 wrote to memory of 1464 4888 oobeldr.exe 79 PID 4888 wrote to memory of 1464 4888 oobeldr.exe 79 PID 4888 wrote to memory of 1464 4888 oobeldr.exe 79 PID 4888 wrote to memory of 1464 4888 oobeldr.exe 79 PID 4888 wrote to memory of 1464 4888 oobeldr.exe 79 PID 4888 wrote to memory of 1464 4888 oobeldr.exe 79 PID 4888 wrote to memory of 1464 4888 oobeldr.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe"C:\Users\Admin\AppData\Local\Temp\533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exeC:\Users\Admin\AppData\Local\Temp\533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe2⤵PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exeC:\Users\Admin\AppData\Local\Temp\533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe2⤵PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exeC:\Users\Admin\AppData\Local\Temp\533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:784
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:4180
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:4076
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:4528
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:4728
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:1464
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789B
MD5db5ef8d7c51bad129d9097bf953e4913
SHA18439db960aa2d431bf5ec3c37af775b45eb07e06
SHA2561248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9
SHA51204572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee
-
Filesize
322KB
MD50d3499a0e3344d4d5e68c7d73e95fb69
SHA1266663ca2370a8890a01f4d91a941d7752c2a957
SHA256533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31
SHA5122e6ca5fa8cdde66645b10f47ab05e63fc30ca69d15fa79629743ef342e5e4b816dbc18c0eded59707f991462239ea32527333a56771bbb7cad08a38edf951a7e
-
Filesize
322KB
MD50d3499a0e3344d4d5e68c7d73e95fb69
SHA1266663ca2370a8890a01f4d91a941d7752c2a957
SHA256533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31
SHA5122e6ca5fa8cdde66645b10f47ab05e63fc30ca69d15fa79629743ef342e5e4b816dbc18c0eded59707f991462239ea32527333a56771bbb7cad08a38edf951a7e
-
Filesize
322KB
MD50d3499a0e3344d4d5e68c7d73e95fb69
SHA1266663ca2370a8890a01f4d91a941d7752c2a957
SHA256533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31
SHA5122e6ca5fa8cdde66645b10f47ab05e63fc30ca69d15fa79629743ef342e5e4b816dbc18c0eded59707f991462239ea32527333a56771bbb7cad08a38edf951a7e
-
Filesize
322KB
MD50d3499a0e3344d4d5e68c7d73e95fb69
SHA1266663ca2370a8890a01f4d91a941d7752c2a957
SHA256533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31
SHA5122e6ca5fa8cdde66645b10f47ab05e63fc30ca69d15fa79629743ef342e5e4b816dbc18c0eded59707f991462239ea32527333a56771bbb7cad08a38edf951a7e
-
Filesize
322KB
MD50d3499a0e3344d4d5e68c7d73e95fb69
SHA1266663ca2370a8890a01f4d91a941d7752c2a957
SHA256533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31
SHA5122e6ca5fa8cdde66645b10f47ab05e63fc30ca69d15fa79629743ef342e5e4b816dbc18c0eded59707f991462239ea32527333a56771bbb7cad08a38edf951a7e
-
Filesize
322KB
MD50d3499a0e3344d4d5e68c7d73e95fb69
SHA1266663ca2370a8890a01f4d91a941d7752c2a957
SHA256533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31
SHA5122e6ca5fa8cdde66645b10f47ab05e63fc30ca69d15fa79629743ef342e5e4b816dbc18c0eded59707f991462239ea32527333a56771bbb7cad08a38edf951a7e
-
Filesize
322KB
MD50d3499a0e3344d4d5e68c7d73e95fb69
SHA1266663ca2370a8890a01f4d91a941d7752c2a957
SHA256533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31
SHA5122e6ca5fa8cdde66645b10f47ab05e63fc30ca69d15fa79629743ef342e5e4b816dbc18c0eded59707f991462239ea32527333a56771bbb7cad08a38edf951a7e
-
Filesize
322KB
MD50d3499a0e3344d4d5e68c7d73e95fb69
SHA1266663ca2370a8890a01f4d91a941d7752c2a957
SHA256533e56b37dfa452c5152931fbd9f0743814302c11d0109ee9ddefe582bf0bd31
SHA5122e6ca5fa8cdde66645b10f47ab05e63fc30ca69d15fa79629743ef342e5e4b816dbc18c0eded59707f991462239ea32527333a56771bbb7cad08a38edf951a7e