Analysis
-
max time kernel
125s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
31/10/2022, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe
Resource
win10-20220901-en
General
-
Target
6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe
-
Size
322KB
-
MD5
868ed4ffadee59587452b0f9c1e670ef
-
SHA1
4ff6625d7e5dc723ec3897f5272036b67f780716
-
SHA256
6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f
-
SHA512
59062dbc3695b753c24c24d09c434c97b143ca295190fa4d5305d451f8775e2730e8163d7efed8525ca94dfe8fc40ee59d4c7c5d0b2c746a3efa828a93820b3a
-
SSDEEP
6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 3844 oobeldr.exe 1340 oobeldr.exe 4660 oobeldr.exe 4672 oobeldr.exe 2088 oobeldr.exe 740 oobeldr.exe 720 oobeldr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 344 set thread context of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 3844 set thread context of 4672 3844 oobeldr.exe 72 PID 2088 set thread context of 720 2088 oobeldr.exe 77 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 540 schtasks.exe 4936 schtasks.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 344 wrote to memory of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 344 wrote to memory of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 344 wrote to memory of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 344 wrote to memory of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 344 wrote to memory of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 344 wrote to memory of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 344 wrote to memory of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 344 wrote to memory of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 344 wrote to memory of 3028 344 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 66 PID 3028 wrote to memory of 540 3028 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 67 PID 3028 wrote to memory of 540 3028 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 67 PID 3028 wrote to memory of 540 3028 6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe 67 PID 3844 wrote to memory of 1340 3844 oobeldr.exe 70 PID 3844 wrote to memory of 1340 3844 oobeldr.exe 70 PID 3844 wrote to memory of 1340 3844 oobeldr.exe 70 PID 3844 wrote to memory of 4660 3844 oobeldr.exe 71 PID 3844 wrote to memory of 4660 3844 oobeldr.exe 71 PID 3844 wrote to memory of 4660 3844 oobeldr.exe 71 PID 3844 wrote to memory of 4672 3844 oobeldr.exe 72 PID 3844 wrote to memory of 4672 3844 oobeldr.exe 72 PID 3844 wrote to memory of 4672 3844 oobeldr.exe 72 PID 3844 wrote to memory of 4672 3844 oobeldr.exe 72 PID 3844 wrote to memory of 4672 3844 oobeldr.exe 72 PID 3844 wrote to memory of 4672 3844 oobeldr.exe 72 PID 3844 wrote to memory of 4672 3844 oobeldr.exe 72 PID 3844 wrote to memory of 4672 3844 oobeldr.exe 72 PID 3844 wrote to memory of 4672 3844 oobeldr.exe 72 PID 4672 wrote to memory of 4936 4672 oobeldr.exe 73 PID 4672 wrote to memory of 4936 4672 oobeldr.exe 73 PID 4672 wrote to memory of 4936 4672 oobeldr.exe 73 PID 2088 wrote to memory of 740 2088 oobeldr.exe 76 PID 2088 wrote to memory of 740 2088 oobeldr.exe 76 PID 2088 wrote to memory of 740 2088 oobeldr.exe 76 PID 2088 wrote to memory of 720 2088 oobeldr.exe 77 PID 2088 wrote to memory of 720 2088 oobeldr.exe 77 PID 2088 wrote to memory of 720 2088 oobeldr.exe 77 PID 2088 wrote to memory of 720 2088 oobeldr.exe 77 PID 2088 wrote to memory of 720 2088 oobeldr.exe 77 PID 2088 wrote to memory of 720 2088 oobeldr.exe 77 PID 2088 wrote to memory of 720 2088 oobeldr.exe 77 PID 2088 wrote to memory of 720 2088 oobeldr.exe 77 PID 2088 wrote to memory of 720 2088 oobeldr.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe"C:\Users\Admin\AppData\Local\Temp\6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Users\Admin\AppData\Local\Temp\6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exeC:\Users\Admin\AppData\Local\Temp\6889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:540
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:1340
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:4660
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:4936
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:740
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:720
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789B
MD5db5ef8d7c51bad129d9097bf953e4913
SHA18439db960aa2d431bf5ec3c37af775b45eb07e06
SHA2561248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9
SHA51204572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee
-
Filesize
322KB
MD5868ed4ffadee59587452b0f9c1e670ef
SHA14ff6625d7e5dc723ec3897f5272036b67f780716
SHA2566889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f
SHA51259062dbc3695b753c24c24d09c434c97b143ca295190fa4d5305d451f8775e2730e8163d7efed8525ca94dfe8fc40ee59d4c7c5d0b2c746a3efa828a93820b3a
-
Filesize
322KB
MD5868ed4ffadee59587452b0f9c1e670ef
SHA14ff6625d7e5dc723ec3897f5272036b67f780716
SHA2566889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f
SHA51259062dbc3695b753c24c24d09c434c97b143ca295190fa4d5305d451f8775e2730e8163d7efed8525ca94dfe8fc40ee59d4c7c5d0b2c746a3efa828a93820b3a
-
Filesize
322KB
MD5868ed4ffadee59587452b0f9c1e670ef
SHA14ff6625d7e5dc723ec3897f5272036b67f780716
SHA2566889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f
SHA51259062dbc3695b753c24c24d09c434c97b143ca295190fa4d5305d451f8775e2730e8163d7efed8525ca94dfe8fc40ee59d4c7c5d0b2c746a3efa828a93820b3a
-
Filesize
322KB
MD5868ed4ffadee59587452b0f9c1e670ef
SHA14ff6625d7e5dc723ec3897f5272036b67f780716
SHA2566889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f
SHA51259062dbc3695b753c24c24d09c434c97b143ca295190fa4d5305d451f8775e2730e8163d7efed8525ca94dfe8fc40ee59d4c7c5d0b2c746a3efa828a93820b3a
-
Filesize
322KB
MD5868ed4ffadee59587452b0f9c1e670ef
SHA14ff6625d7e5dc723ec3897f5272036b67f780716
SHA2566889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f
SHA51259062dbc3695b753c24c24d09c434c97b143ca295190fa4d5305d451f8775e2730e8163d7efed8525ca94dfe8fc40ee59d4c7c5d0b2c746a3efa828a93820b3a
-
Filesize
322KB
MD5868ed4ffadee59587452b0f9c1e670ef
SHA14ff6625d7e5dc723ec3897f5272036b67f780716
SHA2566889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f
SHA51259062dbc3695b753c24c24d09c434c97b143ca295190fa4d5305d451f8775e2730e8163d7efed8525ca94dfe8fc40ee59d4c7c5d0b2c746a3efa828a93820b3a
-
Filesize
322KB
MD5868ed4ffadee59587452b0f9c1e670ef
SHA14ff6625d7e5dc723ec3897f5272036b67f780716
SHA2566889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f
SHA51259062dbc3695b753c24c24d09c434c97b143ca295190fa4d5305d451f8775e2730e8163d7efed8525ca94dfe8fc40ee59d4c7c5d0b2c746a3efa828a93820b3a
-
Filesize
322KB
MD5868ed4ffadee59587452b0f9c1e670ef
SHA14ff6625d7e5dc723ec3897f5272036b67f780716
SHA2566889302e6c295c04485042ec99f6d46a7062514b37ade7b2b9e5c1aa4ed59a8f
SHA51259062dbc3695b753c24c24d09c434c97b143ca295190fa4d5305d451f8775e2730e8163d7efed8525ca94dfe8fc40ee59d4c7c5d0b2c746a3efa828a93820b3a