Analysis Overview
SHA256
d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1
Threat Level: Likely malicious
The file d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1 was found to be: Likely malicious.
Malicious Activity Summary
Executes dropped EXE
Suspicious use of SetThreadContext
Program crash
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:51
Reported
2022-10-31 22:54
Platform
win10-20220812-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2620 set thread context of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1.exe | C:\Users\Admin\AppData\Local\Temp\d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1.exe |
| PID 4892 set thread context of 4792 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
| PID 4872 set thread context of 3140 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
| PID 428 set thread context of 2720 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1.exe
"C:\Users\Admin\AppData\Local\Temp\d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1.exe"
C:\Users\Admin\AppData\Local\Temp\d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1.exe
C:\Users\Admin\AppData\Local\Temp\d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 152
Network
| Country | Destination | Domain | Proto |
| US | 20.42.73.24:443 | tcp |
Files
memory/2620-119-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-120-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-121-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-122-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-123-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-124-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-125-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-126-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-127-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-128-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-129-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-130-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-131-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-132-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-133-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-136-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-135-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-134-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-137-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-138-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-139-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-140-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-141-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-142-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-143-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-144-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-145-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-146-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-147-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-148-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-149-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-150-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-151-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-152-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-153-0x0000000000560000-0x00000000005B6000-memory.dmp
memory/2620-154-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-155-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-156-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-157-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-158-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-159-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-160-0x0000000007300000-0x00000000073CC000-memory.dmp
memory/2620-161-0x00000000078D0000-0x0000000007DCE000-memory.dmp
memory/2620-162-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-163-0x00000000073D0000-0x0000000007462000-memory.dmp
memory/2620-164-0x0000000004DC0000-0x0000000004DC6000-memory.dmp
memory/2620-165-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-166-0x0000000007670000-0x00000000076E6000-memory.dmp
memory/2620-167-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-168-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-169-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-170-0x0000000004E10000-0x0000000004E2E000-memory.dmp
memory/2620-171-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-172-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-173-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-174-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-175-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-176-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-177-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2148-178-0x0000000000402354-mapping.dmp
memory/2148-179-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-180-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2620-182-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-183-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-185-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-186-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-187-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-188-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-189-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-181-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2148-190-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/1504-212-0x0000000000000000-mapping.dmp
memory/2148-231-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | a580532ba1760b46afd76630327e4bf3 |
| SHA1 | 026fb71ca830b9f708f8588be9351a3005b2d5a2 |
| SHA256 | d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1 |
| SHA512 | d255bfd74da25e3140aff5edd8d6ab695828a9f088f00a15a8760000fe3525056a3fbffaa16c3276818e89151a1811475e9077e99ef2837e0a10692d570d5b1d |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | a580532ba1760b46afd76630327e4bf3 |
| SHA1 | 026fb71ca830b9f708f8588be9351a3005b2d5a2 |
| SHA256 | d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1 |
| SHA512 | d255bfd74da25e3140aff5edd8d6ab695828a9f088f00a15a8760000fe3525056a3fbffaa16c3276818e89151a1811475e9077e99ef2837e0a10692d570d5b1d |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | a580532ba1760b46afd76630327e4bf3 |
| SHA1 | 026fb71ca830b9f708f8588be9351a3005b2d5a2 |
| SHA256 | d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1 |
| SHA512 | d255bfd74da25e3140aff5edd8d6ab695828a9f088f00a15a8760000fe3525056a3fbffaa16c3276818e89151a1811475e9077e99ef2837e0a10692d570d5b1d |
memory/4792-288-0x0000000000402354-mapping.dmp
memory/4568-322-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | a580532ba1760b46afd76630327e4bf3 |
| SHA1 | 026fb71ca830b9f708f8588be9351a3005b2d5a2 |
| SHA256 | d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1 |
| SHA512 | d255bfd74da25e3140aff5edd8d6ab695828a9f088f00a15a8760000fe3525056a3fbffaa16c3276818e89151a1811475e9077e99ef2837e0a10692d570d5b1d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log
| MD5 | db5ef8d7c51bad129d9097bf953e4913 |
| SHA1 | 8439db960aa2d431bf5ec3c37af775b45eb07e06 |
| SHA256 | 1248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9 |
| SHA512 | 04572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee |
memory/3140-395-0x0000000000402354-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | a580532ba1760b46afd76630327e4bf3 |
| SHA1 | 026fb71ca830b9f708f8588be9351a3005b2d5a2 |
| SHA256 | d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1 |
| SHA512 | d255bfd74da25e3140aff5edd8d6ab695828a9f088f00a15a8760000fe3525056a3fbffaa16c3276818e89151a1811475e9077e99ef2837e0a10692d570d5b1d |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | a580532ba1760b46afd76630327e4bf3 |
| SHA1 | 026fb71ca830b9f708f8588be9351a3005b2d5a2 |
| SHA256 | d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1 |
| SHA512 | d255bfd74da25e3140aff5edd8d6ab695828a9f088f00a15a8760000fe3525056a3fbffaa16c3276818e89151a1811475e9077e99ef2837e0a10692d570d5b1d |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | a580532ba1760b46afd76630327e4bf3 |
| SHA1 | 026fb71ca830b9f708f8588be9351a3005b2d5a2 |
| SHA256 | d489e06e4e952a636272cb97204eaf1c6ced503ee602a91357cacfd3dbf57dd1 |
| SHA512 | d255bfd74da25e3140aff5edd8d6ab695828a9f088f00a15a8760000fe3525056a3fbffaa16c3276818e89151a1811475e9077e99ef2837e0a10692d570d5b1d |
memory/2720-482-0x0000000000402354-mapping.dmp