8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6

Analysis

max time kernel
100s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe
Size

322KB
MD5

da26bc2791ec62d35878fd835bb76352
SHA1

69396ce5e9c0fc196a58ee76c508242f7fa4bcde
SHA256

8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6
SHA512

86b239ca060a6e261f4936fc38a29ad5163765356403012bcdd39eb8df31b2598aff607f9d36b22794412e14dd694919a4a9ebe9dc73ee80d83a9d54d6b4df81
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2164	oobeldr.exe
2056	oobeldr.exe
968	oobeldr.exe
1664	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 504 set thread context of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 2164 set thread context of 2056	2164	oobeldr.exe	91
PID 968 set thread context of 1664	968	oobeldr.exe	95

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3204	schtasks.exe
1148	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 504 wrote to memory of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 504 wrote to memory of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 504 wrote to memory of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 504 wrote to memory of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 504 wrote to memory of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 504 wrote to memory of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 504 wrote to memory of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 504 wrote to memory of 932	504	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	79
PID 932 wrote to memory of 3204	932	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	84
PID 932 wrote to memory of 3204	932	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	84
PID 932 wrote to memory of 3204	932	8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe	84
PID 2164 wrote to memory of 2056	2164	oobeldr.exe	91
PID 2164 wrote to memory of 2056	2164	oobeldr.exe	91
PID 2164 wrote to memory of 2056	2164	oobeldr.exe	91
PID 2164 wrote to memory of 2056	2164	oobeldr.exe	91
PID 2164 wrote to memory of 2056	2164	oobeldr.exe	91
PID 2164 wrote to memory of 2056	2164	oobeldr.exe	91
PID 2164 wrote to memory of 2056	2164	oobeldr.exe	91
PID 2164 wrote to memory of 2056	2164	oobeldr.exe	91
PID 2164 wrote to memory of 2056	2164	oobeldr.exe	91
PID 2056 wrote to memory of 1148	2056	oobeldr.exe	92
PID 2056 wrote to memory of 1148	2056	oobeldr.exe	92
PID 2056 wrote to memory of 1148	2056	oobeldr.exe	92
PID 968 wrote to memory of 1664	968	oobeldr.exe	95
PID 968 wrote to memory of 1664	968	oobeldr.exe	95
PID 968 wrote to memory of 1664	968	oobeldr.exe	95
PID 968 wrote to memory of 1664	968	oobeldr.exe	95
PID 968 wrote to memory of 1664	968	oobeldr.exe	95
PID 968 wrote to memory of 1664	968	oobeldr.exe	95
PID 968 wrote to memory of 1664	968	oobeldr.exe	95
PID 968 wrote to memory of 1664	968	oobeldr.exe	95
PID 968 wrote to memory of 1664	968	oobeldr.exe	95

C:\Users\Admin\AppData\Local\Temp\8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe
"C:\Users\Admin\AppData\Local\Temp\8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:504
- C:\Users\Admin\AppData\Local\Temp\8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe
  C:\Users\Admin\AppData\Local\Temp\8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3204

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1148

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
da26bc2791ec62d35878fd835bb76352

SHA1
69396ce5e9c0fc196a58ee76c508242f7fa4bcde

SHA256
8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6

SHA512
86b239ca060a6e261f4936fc38a29ad5163765356403012bcdd39eb8df31b2598aff607f9d36b22794412e14dd694919a4a9ebe9dc73ee80d83a9d54d6b4df81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
da26bc2791ec62d35878fd835bb76352

SHA1
69396ce5e9c0fc196a58ee76c508242f7fa4bcde

SHA256
8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6

SHA512
86b239ca060a6e261f4936fc38a29ad5163765356403012bcdd39eb8df31b2598aff607f9d36b22794412e14dd694919a4a9ebe9dc73ee80d83a9d54d6b4df81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
da26bc2791ec62d35878fd835bb76352

SHA1
69396ce5e9c0fc196a58ee76c508242f7fa4bcde

SHA256
8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6

SHA512
86b239ca060a6e261f4936fc38a29ad5163765356403012bcdd39eb8df31b2598aff607f9d36b22794412e14dd694919a4a9ebe9dc73ee80d83a9d54d6b4df81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
da26bc2791ec62d35878fd835bb76352

SHA1
69396ce5e9c0fc196a58ee76c508242f7fa4bcde

SHA256
8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6

SHA512
86b239ca060a6e261f4936fc38a29ad5163765356403012bcdd39eb8df31b2598aff607f9d36b22794412e14dd694919a4a9ebe9dc73ee80d83a9d54d6b4df81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
da26bc2791ec62d35878fd835bb76352

SHA1
69396ce5e9c0fc196a58ee76c508242f7fa4bcde

SHA256
8be89599d3f9b0293aa8381421910c21270e20ed15440c17a04d0010ba7724f6

SHA512
86b239ca060a6e261f4936fc38a29ad5163765356403012bcdd39eb8df31b2598aff607f9d36b22794412e14dd694919a4a9ebe9dc73ee80d83a9d54d6b4df81

Download Submit
memory/504-133-0x00000000075E0000-0x0000000007B84000-memory.dmp

Filesize
5.6MB

Download
memory/504-134-0x00000000070D0000-0x0000000007162000-memory.dmp

Filesize
584KB

Download
memory/504-135-0x0000000007370000-0x00000000073E6000-memory.dmp

Filesize
472KB

Download
memory/504-136-0x0000000004C10000-0x0000000004C2E000-memory.dmp

Filesize
120KB

Download
memory/504-132-0x00000000000D0000-0x0000000000126000-memory.dmp

Filesize
344KB

Download
memory/932-141-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/932-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/932-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads