f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe
Size

322KB
MD5

29aec55634ebff6a652d2f16496d224e
SHA1

e9592e22b481ea2dbc47108d99bf3458108034b7
SHA256

f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece
SHA512

cc997a103d075fd87fb3fbebb6133d81a5d171e0d39546a93a9b96e1d91669ae7602adc790d8ac8989c47d1d121c7b6f198ebf39b36948a5f2f45d4be9d21499
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1920	oobeldr.exe
2144	oobeldr.exe
4840	oobeldr.exe
4428	oobeldr.exe
700	oobeldr.exe
3576	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 1920 set thread context of 2144	1920	oobeldr.exe	91
PID 4840 set thread context of 4428	4840	oobeldr.exe	96
PID 700 set thread context of 3576	700	oobeldr.exe	98

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3732	schtasks.exe
3916	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 3004 wrote to memory of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 3004 wrote to memory of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 3004 wrote to memory of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 3004 wrote to memory of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 3004 wrote to memory of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 3004 wrote to memory of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 3004 wrote to memory of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 3004 wrote to memory of 3844	3004	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	81
PID 3844 wrote to memory of 3732	3844	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	82
PID 3844 wrote to memory of 3732	3844	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	82
PID 3844 wrote to memory of 3732	3844	f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe	82
PID 1920 wrote to memory of 2144	1920	oobeldr.exe	91
PID 1920 wrote to memory of 2144	1920	oobeldr.exe	91
PID 1920 wrote to memory of 2144	1920	oobeldr.exe	91
PID 1920 wrote to memory of 2144	1920	oobeldr.exe	91
PID 1920 wrote to memory of 2144	1920	oobeldr.exe	91
PID 1920 wrote to memory of 2144	1920	oobeldr.exe	91
PID 1920 wrote to memory of 2144	1920	oobeldr.exe	91
PID 1920 wrote to memory of 2144	1920	oobeldr.exe	91
PID 1920 wrote to memory of 2144	1920	oobeldr.exe	91
PID 2144 wrote to memory of 3916	2144	oobeldr.exe	92
PID 2144 wrote to memory of 3916	2144	oobeldr.exe	92
PID 2144 wrote to memory of 3916	2144	oobeldr.exe	92
PID 4840 wrote to memory of 4428	4840	oobeldr.exe	96
PID 4840 wrote to memory of 4428	4840	oobeldr.exe	96
PID 4840 wrote to memory of 4428	4840	oobeldr.exe	96
PID 4840 wrote to memory of 4428	4840	oobeldr.exe	96
PID 4840 wrote to memory of 4428	4840	oobeldr.exe	96
PID 4840 wrote to memory of 4428	4840	oobeldr.exe	96
PID 4840 wrote to memory of 4428	4840	oobeldr.exe	96
PID 4840 wrote to memory of 4428	4840	oobeldr.exe	96
PID 4840 wrote to memory of 4428	4840	oobeldr.exe	96
PID 700 wrote to memory of 3576	700	oobeldr.exe	98
PID 700 wrote to memory of 3576	700	oobeldr.exe	98
PID 700 wrote to memory of 3576	700	oobeldr.exe	98
PID 700 wrote to memory of 3576	700	oobeldr.exe	98
PID 700 wrote to memory of 3576	700	oobeldr.exe	98
PID 700 wrote to memory of 3576	700	oobeldr.exe	98
PID 700 wrote to memory of 3576	700	oobeldr.exe	98
PID 700 wrote to memory of 3576	700	oobeldr.exe	98
PID 700 wrote to memory of 3576	700	oobeldr.exe	98

C:\Users\Admin\AppData\Local\Temp\f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe
"C:\Users\Admin\AppData\Local\Temp\f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe
  C:\Users\Admin\AppData\Local\Temp\f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3732

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3916

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4428

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:700
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
29aec55634ebff6a652d2f16496d224e

SHA1
e9592e22b481ea2dbc47108d99bf3458108034b7

SHA256
f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece

SHA512
cc997a103d075fd87fb3fbebb6133d81a5d171e0d39546a93a9b96e1d91669ae7602adc790d8ac8989c47d1d121c7b6f198ebf39b36948a5f2f45d4be9d21499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
29aec55634ebff6a652d2f16496d224e

SHA1
e9592e22b481ea2dbc47108d99bf3458108034b7

SHA256
f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece

SHA512
cc997a103d075fd87fb3fbebb6133d81a5d171e0d39546a93a9b96e1d91669ae7602adc790d8ac8989c47d1d121c7b6f198ebf39b36948a5f2f45d4be9d21499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
29aec55634ebff6a652d2f16496d224e

SHA1
e9592e22b481ea2dbc47108d99bf3458108034b7

SHA256
f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece

SHA512
cc997a103d075fd87fb3fbebb6133d81a5d171e0d39546a93a9b96e1d91669ae7602adc790d8ac8989c47d1d121c7b6f198ebf39b36948a5f2f45d4be9d21499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
29aec55634ebff6a652d2f16496d224e

SHA1
e9592e22b481ea2dbc47108d99bf3458108034b7

SHA256
f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece

SHA512
cc997a103d075fd87fb3fbebb6133d81a5d171e0d39546a93a9b96e1d91669ae7602adc790d8ac8989c47d1d121c7b6f198ebf39b36948a5f2f45d4be9d21499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
29aec55634ebff6a652d2f16496d224e

SHA1
e9592e22b481ea2dbc47108d99bf3458108034b7

SHA256
f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece

SHA512
cc997a103d075fd87fb3fbebb6133d81a5d171e0d39546a93a9b96e1d91669ae7602adc790d8ac8989c47d1d121c7b6f198ebf39b36948a5f2f45d4be9d21499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
29aec55634ebff6a652d2f16496d224e

SHA1
e9592e22b481ea2dbc47108d99bf3458108034b7

SHA256
f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece

SHA512
cc997a103d075fd87fb3fbebb6133d81a5d171e0d39546a93a9b96e1d91669ae7602adc790d8ac8989c47d1d121c7b6f198ebf39b36948a5f2f45d4be9d21499

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
29aec55634ebff6a652d2f16496d224e

SHA1
e9592e22b481ea2dbc47108d99bf3458108034b7

SHA256
f005f61fc940e0053842a4d256addab74f6a8b540689343acdead9809bf05ece

SHA512
cc997a103d075fd87fb3fbebb6133d81a5d171e0d39546a93a9b96e1d91669ae7602adc790d8ac8989c47d1d121c7b6f198ebf39b36948a5f2f45d4be9d21499

Download Submit
memory/3004-133-0x0000000007BE0000-0x0000000008184000-memory.dmp

Filesize
5.6MB

Download
memory/3004-136-0x0000000007670000-0x000000000768E000-memory.dmp

Filesize
120KB

Download
memory/3004-135-0x0000000007970000-0x00000000079E6000-memory.dmp

Filesize
472KB

Download
memory/3004-134-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/3004-132-0x00000000006E0000-0x0000000000736000-memory.dmp

Filesize
344KB

Download
memory/3844-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3844-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3844-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads