8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a

Analysis

max time kernel
114s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 02:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe
Size

323KB
MD5

ddd6cce8d1c822de19aef33a7837159b
SHA1

b905ef0fac5cdf86087420d816ccc015af4e4d09
SHA256

8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a
SHA512

fefe2731dc7a6c0e8816963703f62f633dacbae68e91cb5e9426611be490a3429efbf13860c5a913475b68a8bf185109d7a11fc01ec7723d043c7e7dba7cff7a
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2860	oobeldr.exe
2636	oobeldr.exe
4412	oobeldr.exe
4524	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 2860 set thread context of 2636	2860	oobeldr.exe	91
PID 4412 set thread context of 4524	4412	oobeldr.exe	95

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3168	schtasks.exe
3580	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 392	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	79
PID 5048 wrote to memory of 392	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	79
PID 5048 wrote to memory of 392	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	79
PID 5048 wrote to memory of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 5048 wrote to memory of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 5048 wrote to memory of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 5048 wrote to memory of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 5048 wrote to memory of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 5048 wrote to memory of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 5048 wrote to memory of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 5048 wrote to memory of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 5048 wrote to memory of 4864	5048	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	83
PID 4864 wrote to memory of 3168	4864	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	85
PID 4864 wrote to memory of 3168	4864	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	85
PID 4864 wrote to memory of 3168	4864	8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe	85
PID 2860 wrote to memory of 2636	2860	oobeldr.exe	91
PID 2860 wrote to memory of 2636	2860	oobeldr.exe	91
PID 2860 wrote to memory of 2636	2860	oobeldr.exe	91
PID 2860 wrote to memory of 2636	2860	oobeldr.exe	91
PID 2860 wrote to memory of 2636	2860	oobeldr.exe	91
PID 2860 wrote to memory of 2636	2860	oobeldr.exe	91
PID 2860 wrote to memory of 2636	2860	oobeldr.exe	91
PID 2860 wrote to memory of 2636	2860	oobeldr.exe	91
PID 2860 wrote to memory of 2636	2860	oobeldr.exe	91
PID 2636 wrote to memory of 3580	2636	oobeldr.exe	92
PID 2636 wrote to memory of 3580	2636	oobeldr.exe	92
PID 2636 wrote to memory of 3580	2636	oobeldr.exe	92
PID 4412 wrote to memory of 4524	4412	oobeldr.exe	95
PID 4412 wrote to memory of 4524	4412	oobeldr.exe	95
PID 4412 wrote to memory of 4524	4412	oobeldr.exe	95
PID 4412 wrote to memory of 4524	4412	oobeldr.exe	95
PID 4412 wrote to memory of 4524	4412	oobeldr.exe	95
PID 4412 wrote to memory of 4524	4412	oobeldr.exe	95
PID 4412 wrote to memory of 4524	4412	oobeldr.exe	95
PID 4412 wrote to memory of 4524	4412	oobeldr.exe	95
PID 4412 wrote to memory of 4524	4412	oobeldr.exe	95

C:\Users\Admin\AppData\Local\Temp\8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe
"C:\Users\Admin\AppData\Local\Temp\8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe
  C:\Users\Admin\AppData\Local\Temp\8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe
  2⤵
  PID:392
- C:\Users\Admin\AppData\Local\Temp\8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe
  C:\Users\Admin\AppData\Local\Temp\8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3168

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3580

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
ddd6cce8d1c822de19aef33a7837159b

SHA1
b905ef0fac5cdf86087420d816ccc015af4e4d09

SHA256
8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a

SHA512
fefe2731dc7a6c0e8816963703f62f633dacbae68e91cb5e9426611be490a3429efbf13860c5a913475b68a8bf185109d7a11fc01ec7723d043c7e7dba7cff7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
ddd6cce8d1c822de19aef33a7837159b

SHA1
b905ef0fac5cdf86087420d816ccc015af4e4d09

SHA256
8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a

SHA512
fefe2731dc7a6c0e8816963703f62f633dacbae68e91cb5e9426611be490a3429efbf13860c5a913475b68a8bf185109d7a11fc01ec7723d043c7e7dba7cff7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
ddd6cce8d1c822de19aef33a7837159b

SHA1
b905ef0fac5cdf86087420d816ccc015af4e4d09

SHA256
8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a

SHA512
fefe2731dc7a6c0e8816963703f62f633dacbae68e91cb5e9426611be490a3429efbf13860c5a913475b68a8bf185109d7a11fc01ec7723d043c7e7dba7cff7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
ddd6cce8d1c822de19aef33a7837159b

SHA1
b905ef0fac5cdf86087420d816ccc015af4e4d09

SHA256
8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a

SHA512
fefe2731dc7a6c0e8816963703f62f633dacbae68e91cb5e9426611be490a3429efbf13860c5a913475b68a8bf185109d7a11fc01ec7723d043c7e7dba7cff7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
ddd6cce8d1c822de19aef33a7837159b

SHA1
b905ef0fac5cdf86087420d816ccc015af4e4d09

SHA256
8849b6f4d433a307e28f9ed96b5dc4e724c14fd9d94e6d68ef2efbe4a951f90a

SHA512
fefe2731dc7a6c0e8816963703f62f633dacbae68e91cb5e9426611be490a3429efbf13860c5a913475b68a8bf185109d7a11fc01ec7723d043c7e7dba7cff7a

Download Submit
memory/4864-141-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4864-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4864-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5048-132-0x0000000000550000-0x00000000005A6000-memory.dmp

Filesize
344KB

Download
memory/5048-136-0x00000000074E0000-0x00000000074FE000-memory.dmp

Filesize
120KB

Download
memory/5048-135-0x0000000007820000-0x0000000007896000-memory.dmp

Filesize
472KB

Download
memory/5048-134-0x0000000007580000-0x0000000007612000-memory.dmp

Filesize
584KB

Download
memory/5048-133-0x0000000007A90000-0x0000000008034000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads