Malware Analysis Report

2025-08-05 17:23

Sample ID 221031-2svsgseghk
Target 32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b
SHA256 32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b

Threat Level: Likely malicious

The file 32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b was found to be: Likely malicious.

Malicious Activity Summary


Executes dropped EXE

Suspicious use of SetThreadContext

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:51

Reported

2022-10-31 22:53

Platform

win10-20220812-en

Max time kernel

114s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe"

Signatures

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe
PID 2300 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe
PID 2300 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe
PID 2300 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe
PID 2300 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe
PID 2300 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe
PID 2300 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe
PID 2300 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe
PID 2300 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe
PID 5116 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Windows\SysWOW64\schtasks.exe
PID 5116 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Windows\SysWOW64\schtasks.exe
PID 5116 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe C:\Windows\SysWOW64\schtasks.exe
PID 4544 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4544 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 4732 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4732 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Windows\SysWOW64\schtasks.exe
PID 4732 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Windows\SysWOW64\schtasks.exe
PID 3844 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 3844 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 3844 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 3844 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 3844 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 3844 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 3844 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 3844 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
PID 3844 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe

"C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe"

C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe

C:\Users\Admin\AppData\Local\Temp\32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Network

Country Destination Domain Proto
IE 13.69.239.74:443 tcp

Files

memory/2300-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-154-0x00000000007A0000-0x00000000007F6000-memory.dmp

memory/2300-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-161-0x0000000004F70000-0x000000000503C000-memory.dmp

memory/2300-162-0x00000000079D0000-0x0000000007ECE000-memory.dmp

memory/2300-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-164-0x00000000075D0000-0x0000000007662000-memory.dmp

memory/2300-165-0x0000000007560000-0x0000000007566000-memory.dmp

memory/2300-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-167-0x00000000078F0000-0x0000000007966000-memory.dmp

memory/2300-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-171-0x00000000075B0000-0x00000000075CE000-memory.dmp

memory/2300-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-178-0x0000000000400000-0x0000000000406000-memory.dmp

memory/5116-179-0x0000000000402354-mapping.dmp

memory/5116-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-183-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/2300-184-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-186-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-187-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-188-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-189-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-190-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/5116-191-0x0000000077A00000-0x0000000077B8E000-memory.dmp

memory/3324-213-0x0000000000000000-mapping.dmp

memory/5116-228-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

MD5 3be55c53fdf88cae6d90504981a45a9e
SHA1 c5e18f7232066748a023bee46fa2813fe973c6b6
SHA256 32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b
SHA512 52ddb71186d3edc69533ad3511744fa3eefc03ac6932b32f21c3da2cc95b451ba55d617029cf3e717fad11ede12879529ae9483836d389d973607544e8b318e3

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

MD5 3be55c53fdf88cae6d90504981a45a9e
SHA1 c5e18f7232066748a023bee46fa2813fe973c6b6
SHA256 32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b
SHA512 52ddb71186d3edc69533ad3511744fa3eefc03ac6932b32f21c3da2cc95b451ba55d617029cf3e717fad11ede12879529ae9483836d389d973607544e8b318e3

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

MD5 3be55c53fdf88cae6d90504981a45a9e
SHA1 c5e18f7232066748a023bee46fa2813fe973c6b6
SHA256 32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b
SHA512 52ddb71186d3edc69533ad3511744fa3eefc03ac6932b32f21c3da2cc95b451ba55d617029cf3e717fad11ede12879529ae9483836d389d973607544e8b318e3

memory/4732-290-0x0000000000402354-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

MD5 3be55c53fdf88cae6d90504981a45a9e
SHA1 c5e18f7232066748a023bee46fa2813fe973c6b6
SHA256 32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b
SHA512 52ddb71186d3edc69533ad3511744fa3eefc03ac6932b32f21c3da2cc95b451ba55d617029cf3e717fad11ede12879529ae9483836d389d973607544e8b318e3

memory/1904-324-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

MD5 3be55c53fdf88cae6d90504981a45a9e
SHA1 c5e18f7232066748a023bee46fa2813fe973c6b6
SHA256 32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b
SHA512 52ddb71186d3edc69533ad3511744fa3eefc03ac6932b32f21c3da2cc95b451ba55d617029cf3e717fad11ede12879529ae9483836d389d973607544e8b318e3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

MD5 db5ef8d7c51bad129d9097bf953e4913
SHA1 8439db960aa2d431bf5ec3c37af775b45eb07e06
SHA256 1248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9
SHA512 04572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee

memory/4948-397-0x0000000000402354-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

MD5 3be55c53fdf88cae6d90504981a45a9e
SHA1 c5e18f7232066748a023bee46fa2813fe973c6b6
SHA256 32d34ee25139ce3ab217e4edc7f5c4d8797ed4ff0a7bc36b5127afaf3aa9bf3b
SHA512 52ddb71186d3edc69533ad3511744fa3eefc03ac6932b32f21c3da2cc95b451ba55d617029cf3e717fad11ede12879529ae9483836d389d973607544e8b318e3