e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418

Analysis

max time kernel
125s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2022, 22:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe
Size

322KB
MD5

3559e3a4dc84e01b21be727fac73a8e7
SHA1

c372d0aac3de5706f8c1c453731b75c2678aa4fb
SHA256

e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418
SHA512

f3241853e98f6192da8516d9f8158368a5e6b415d0f914a2b4c6cf718ee3c08903a0e4a599790f66865a2f26e8f771a923053806193c24b359df0dba68661802
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2708	oobeldr.exe
4592	oobeldr.exe
3632	oobeldr.exe
4928	oobeldr.exe
4020	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 2708 set thread context of 3632	2708	oobeldr.exe	93
PID 4928 set thread context of 4020	4928	oobeldr.exe	97

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3208	schtasks.exe
4052	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 4604 wrote to memory of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 4604 wrote to memory of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 4604 wrote to memory of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 4604 wrote to memory of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 4604 wrote to memory of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 4604 wrote to memory of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 4604 wrote to memory of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 4604 wrote to memory of 5012	4604	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	81
PID 5012 wrote to memory of 3208	5012	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	85
PID 5012 wrote to memory of 3208	5012	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	85
PID 5012 wrote to memory of 3208	5012	e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe	85
PID 2708 wrote to memory of 4592	2708	oobeldr.exe	92
PID 2708 wrote to memory of 4592	2708	oobeldr.exe	92
PID 2708 wrote to memory of 4592	2708	oobeldr.exe	92
PID 2708 wrote to memory of 3632	2708	oobeldr.exe	93
PID 2708 wrote to memory of 3632	2708	oobeldr.exe	93
PID 2708 wrote to memory of 3632	2708	oobeldr.exe	93
PID 2708 wrote to memory of 3632	2708	oobeldr.exe	93
PID 2708 wrote to memory of 3632	2708	oobeldr.exe	93
PID 2708 wrote to memory of 3632	2708	oobeldr.exe	93
PID 2708 wrote to memory of 3632	2708	oobeldr.exe	93
PID 2708 wrote to memory of 3632	2708	oobeldr.exe	93
PID 2708 wrote to memory of 3632	2708	oobeldr.exe	93
PID 3632 wrote to memory of 4052	3632	oobeldr.exe	94
PID 3632 wrote to memory of 4052	3632	oobeldr.exe	94
PID 3632 wrote to memory of 4052	3632	oobeldr.exe	94
PID 4928 wrote to memory of 4020	4928	oobeldr.exe	97
PID 4928 wrote to memory of 4020	4928	oobeldr.exe	97
PID 4928 wrote to memory of 4020	4928	oobeldr.exe	97
PID 4928 wrote to memory of 4020	4928	oobeldr.exe	97
PID 4928 wrote to memory of 4020	4928	oobeldr.exe	97
PID 4928 wrote to memory of 4020	4928	oobeldr.exe	97
PID 4928 wrote to memory of 4020	4928	oobeldr.exe	97
PID 4928 wrote to memory of 4020	4928	oobeldr.exe	97
PID 4928 wrote to memory of 4020	4928	oobeldr.exe	97

C:\Users\Admin\AppData\Local\Temp\e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe
"C:\Users\Admin\AppData\Local\Temp\e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe
  C:\Users\Admin\AppData\Local\Temp\e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3208

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4052

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
3559e3a4dc84e01b21be727fac73a8e7

SHA1
c372d0aac3de5706f8c1c453731b75c2678aa4fb

SHA256
e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418

SHA512
f3241853e98f6192da8516d9f8158368a5e6b415d0f914a2b4c6cf718ee3c08903a0e4a599790f66865a2f26e8f771a923053806193c24b359df0dba68661802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
3559e3a4dc84e01b21be727fac73a8e7

SHA1
c372d0aac3de5706f8c1c453731b75c2678aa4fb

SHA256
e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418

SHA512
f3241853e98f6192da8516d9f8158368a5e6b415d0f914a2b4c6cf718ee3c08903a0e4a599790f66865a2f26e8f771a923053806193c24b359df0dba68661802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
3559e3a4dc84e01b21be727fac73a8e7

SHA1
c372d0aac3de5706f8c1c453731b75c2678aa4fb

SHA256
e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418

SHA512
f3241853e98f6192da8516d9f8158368a5e6b415d0f914a2b4c6cf718ee3c08903a0e4a599790f66865a2f26e8f771a923053806193c24b359df0dba68661802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
3559e3a4dc84e01b21be727fac73a8e7

SHA1
c372d0aac3de5706f8c1c453731b75c2678aa4fb

SHA256
e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418

SHA512
f3241853e98f6192da8516d9f8158368a5e6b415d0f914a2b4c6cf718ee3c08903a0e4a599790f66865a2f26e8f771a923053806193c24b359df0dba68661802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
3559e3a4dc84e01b21be727fac73a8e7

SHA1
c372d0aac3de5706f8c1c453731b75c2678aa4fb

SHA256
e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418

SHA512
f3241853e98f6192da8516d9f8158368a5e6b415d0f914a2b4c6cf718ee3c08903a0e4a599790f66865a2f26e8f771a923053806193c24b359df0dba68661802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
3559e3a4dc84e01b21be727fac73a8e7

SHA1
c372d0aac3de5706f8c1c453731b75c2678aa4fb

SHA256
e6d186401c61ed926fc1e8da66c5fd09ef9788dde5310fbc2b3ba4c31df52418

SHA512
f3241853e98f6192da8516d9f8158368a5e6b415d0f914a2b4c6cf718ee3c08903a0e4a599790f66865a2f26e8f771a923053806193c24b359df0dba68661802

Download Submit
memory/4604-132-0x00000000007D0000-0x0000000000826000-memory.dmp

Filesize
344KB

Download
memory/4604-136-0x0000000007620000-0x000000000763E000-memory.dmp

Filesize
120KB

Download
memory/4604-135-0x0000000007960000-0x00000000079D6000-memory.dmp

Filesize
472KB

Download
memory/4604-134-0x0000000007640000-0x00000000076D2000-memory.dmp

Filesize
584KB

Download
memory/4604-133-0x0000000007B10000-0x00000000080B4000-memory.dmp

Filesize
5.6MB

Download
memory/5012-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5012-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5012-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads