6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe
Size

323KB
MD5

beebb1a5e262bbc2b520be6e45174a2f
SHA1

b1600fde585232f3e0d998ff53fcde2080480a91
SHA256

6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662
SHA512

ff5dee4631a478664a058b3a50e44c21c789aa7a5717d351fe012888ec10fd817e5ccdf6c2459bfe911e9448396d41e9a171effddd1bba3634b1a56f3e41422a
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
3500	oobeldr.exe
224	oobeldr.exe
2784	oobeldr.exe
3624	oobeldr.exe
3736	oobeldr.exe
1340	oobeldr.exe
1248	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3316 set thread context of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 3500 set thread context of 224	3500	oobeldr.exe	91
PID 2784 set thread context of 3736	2784	oobeldr.exe	97
PID 1340 set thread context of 1248	1340	oobeldr.exe	99

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2120	schtasks.exe
4484	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 3316 wrote to memory of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 3316 wrote to memory of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 3316 wrote to memory of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 3316 wrote to memory of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 3316 wrote to memory of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 3316 wrote to memory of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 3316 wrote to memory of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 3316 wrote to memory of 1300	3316	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	81
PID 1300 wrote to memory of 2120	1300	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	82
PID 1300 wrote to memory of 2120	1300	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	82
PID 1300 wrote to memory of 2120	1300	6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe	82
PID 3500 wrote to memory of 224	3500	oobeldr.exe	91
PID 3500 wrote to memory of 224	3500	oobeldr.exe	91
PID 3500 wrote to memory of 224	3500	oobeldr.exe	91
PID 3500 wrote to memory of 224	3500	oobeldr.exe	91
PID 3500 wrote to memory of 224	3500	oobeldr.exe	91
PID 3500 wrote to memory of 224	3500	oobeldr.exe	91
PID 3500 wrote to memory of 224	3500	oobeldr.exe	91
PID 3500 wrote to memory of 224	3500	oobeldr.exe	91
PID 3500 wrote to memory of 224	3500	oobeldr.exe	91
PID 224 wrote to memory of 4484	224	oobeldr.exe	92
PID 224 wrote to memory of 4484	224	oobeldr.exe	92
PID 224 wrote to memory of 4484	224	oobeldr.exe	92
PID 2784 wrote to memory of 3624	2784	oobeldr.exe	96
PID 2784 wrote to memory of 3624	2784	oobeldr.exe	96
PID 2784 wrote to memory of 3624	2784	oobeldr.exe	96
PID 2784 wrote to memory of 3736	2784	oobeldr.exe	97
PID 2784 wrote to memory of 3736	2784	oobeldr.exe	97
PID 2784 wrote to memory of 3736	2784	oobeldr.exe	97
PID 2784 wrote to memory of 3736	2784	oobeldr.exe	97
PID 2784 wrote to memory of 3736	2784	oobeldr.exe	97
PID 2784 wrote to memory of 3736	2784	oobeldr.exe	97
PID 2784 wrote to memory of 3736	2784	oobeldr.exe	97
PID 2784 wrote to memory of 3736	2784	oobeldr.exe	97
PID 2784 wrote to memory of 3736	2784	oobeldr.exe	97
PID 1340 wrote to memory of 1248	1340	oobeldr.exe	99
PID 1340 wrote to memory of 1248	1340	oobeldr.exe	99
PID 1340 wrote to memory of 1248	1340	oobeldr.exe	99
PID 1340 wrote to memory of 1248	1340	oobeldr.exe	99
PID 1340 wrote to memory of 1248	1340	oobeldr.exe	99
PID 1340 wrote to memory of 1248	1340	oobeldr.exe	99
PID 1340 wrote to memory of 1248	1340	oobeldr.exe	99
PID 1340 wrote to memory of 1248	1340	oobeldr.exe	99
PID 1340 wrote to memory of 1248	1340	oobeldr.exe	99

C:\Users\Admin\AppData\Local\Temp\6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe
"C:\Users\Admin\AppData\Local\Temp\6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe
  C:\Users\Admin\AppData\Local\Temp\6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2120

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4484

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3736

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
beebb1a5e262bbc2b520be6e45174a2f

SHA1
b1600fde585232f3e0d998ff53fcde2080480a91

SHA256
6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662

SHA512
ff5dee4631a478664a058b3a50e44c21c789aa7a5717d351fe012888ec10fd817e5ccdf6c2459bfe911e9448396d41e9a171effddd1bba3634b1a56f3e41422a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
beebb1a5e262bbc2b520be6e45174a2f

SHA1
b1600fde585232f3e0d998ff53fcde2080480a91

SHA256
6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662

SHA512
ff5dee4631a478664a058b3a50e44c21c789aa7a5717d351fe012888ec10fd817e5ccdf6c2459bfe911e9448396d41e9a171effddd1bba3634b1a56f3e41422a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
beebb1a5e262bbc2b520be6e45174a2f

SHA1
b1600fde585232f3e0d998ff53fcde2080480a91

SHA256
6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662

SHA512
ff5dee4631a478664a058b3a50e44c21c789aa7a5717d351fe012888ec10fd817e5ccdf6c2459bfe911e9448396d41e9a171effddd1bba3634b1a56f3e41422a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
beebb1a5e262bbc2b520be6e45174a2f

SHA1
b1600fde585232f3e0d998ff53fcde2080480a91

SHA256
6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662

SHA512
ff5dee4631a478664a058b3a50e44c21c789aa7a5717d351fe012888ec10fd817e5ccdf6c2459bfe911e9448396d41e9a171effddd1bba3634b1a56f3e41422a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
beebb1a5e262bbc2b520be6e45174a2f

SHA1
b1600fde585232f3e0d998ff53fcde2080480a91

SHA256
6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662

SHA512
ff5dee4631a478664a058b3a50e44c21c789aa7a5717d351fe012888ec10fd817e5ccdf6c2459bfe911e9448396d41e9a171effddd1bba3634b1a56f3e41422a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
beebb1a5e262bbc2b520be6e45174a2f

SHA1
b1600fde585232f3e0d998ff53fcde2080480a91

SHA256
6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662

SHA512
ff5dee4631a478664a058b3a50e44c21c789aa7a5717d351fe012888ec10fd817e5ccdf6c2459bfe911e9448396d41e9a171effddd1bba3634b1a56f3e41422a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
beebb1a5e262bbc2b520be6e45174a2f

SHA1
b1600fde585232f3e0d998ff53fcde2080480a91

SHA256
6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662

SHA512
ff5dee4631a478664a058b3a50e44c21c789aa7a5717d351fe012888ec10fd817e5ccdf6c2459bfe911e9448396d41e9a171effddd1bba3634b1a56f3e41422a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
beebb1a5e262bbc2b520be6e45174a2f

SHA1
b1600fde585232f3e0d998ff53fcde2080480a91

SHA256
6b4e2c352a1130aa64e8a5e01bd981c7d71db38a73555ed5645509d12f51a662

SHA512
ff5dee4631a478664a058b3a50e44c21c789aa7a5717d351fe012888ec10fd817e5ccdf6c2459bfe911e9448396d41e9a171effddd1bba3634b1a56f3e41422a

Download Submit
memory/1300-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1300-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1300-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3316-135-0x0000000007600000-0x0000000007676000-memory.dmp

Filesize
472KB

Download
memory/3316-134-0x0000000007360000-0x00000000073F2000-memory.dmp

Filesize
584KB

Download
memory/3316-132-0x0000000000350000-0x00000000003A6000-memory.dmp

Filesize
344KB

Download
memory/3316-133-0x0000000007870000-0x0000000007E14000-memory.dmp

Filesize
5.6MB

Download
memory/3316-136-0x00000000072E0000-0x00000000072FE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads