6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c

Analysis

max time kernel
113s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe
Size

323KB
MD5

e8c1f6d545bcd637e0eef0c3f97468e8
SHA1

cdb96e70b84587514887a800a58e082feb1b1619
SHA256

6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c
SHA512

aff0ff0b9a4e696e4346d058e00837654661e6b95a2c2b2712f8352f2e09a8a2f0449a1d3b465f84772d5005ce0147a3b2fdbfbaab7aa1614f89df31d3082f16
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3952	oobeldr.exe
656	oobeldr.exe
2864	oobeldr.exe
4164	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 3952 set thread context of 656	3952	oobeldr.exe	92
PID 2864 set thread context of 4164	2864	oobeldr.exe	96

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3876	4164	WerFault.exe	96

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3408	schtasks.exe
4040	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 4956 wrote to memory of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 4956 wrote to memory of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 4956 wrote to memory of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 4956 wrote to memory of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 4956 wrote to memory of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 4956 wrote to memory of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 4956 wrote to memory of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 4956 wrote to memory of 2436	4956	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	81
PID 2436 wrote to memory of 3408	2436	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	82
PID 2436 wrote to memory of 3408	2436	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	82
PID 2436 wrote to memory of 3408	2436	6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe	82
PID 3952 wrote to memory of 656	3952	oobeldr.exe	92
PID 3952 wrote to memory of 656	3952	oobeldr.exe	92
PID 3952 wrote to memory of 656	3952	oobeldr.exe	92
PID 3952 wrote to memory of 656	3952	oobeldr.exe	92
PID 3952 wrote to memory of 656	3952	oobeldr.exe	92
PID 3952 wrote to memory of 656	3952	oobeldr.exe	92
PID 3952 wrote to memory of 656	3952	oobeldr.exe	92
PID 3952 wrote to memory of 656	3952	oobeldr.exe	92
PID 3952 wrote to memory of 656	3952	oobeldr.exe	92
PID 656 wrote to memory of 4040	656	oobeldr.exe	93
PID 656 wrote to memory of 4040	656	oobeldr.exe	93
PID 656 wrote to memory of 4040	656	oobeldr.exe	93
PID 2864 wrote to memory of 4164	2864	oobeldr.exe	96
PID 2864 wrote to memory of 4164	2864	oobeldr.exe	96
PID 2864 wrote to memory of 4164	2864	oobeldr.exe	96
PID 2864 wrote to memory of 4164	2864	oobeldr.exe	96
PID 2864 wrote to memory of 4164	2864	oobeldr.exe	96
PID 2864 wrote to memory of 4164	2864	oobeldr.exe	96
PID 2864 wrote to memory of 4164	2864	oobeldr.exe	96
PID 2864 wrote to memory of 4164	2864	oobeldr.exe	96
PID 2864 wrote to memory of 4164	2864	oobeldr.exe	96

C:\Users\Admin\AppData\Local\Temp\6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe
"C:\Users\Admin\AppData\Local\Temp\6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe
  C:\Users\Admin\AppData\Local\Temp\6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3408

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4040

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 144
    3⤵
    - Program crash
    PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4164 -ip 4164
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
e8c1f6d545bcd637e0eef0c3f97468e8

SHA1
cdb96e70b84587514887a800a58e082feb1b1619

SHA256
6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c

SHA512
aff0ff0b9a4e696e4346d058e00837654661e6b95a2c2b2712f8352f2e09a8a2f0449a1d3b465f84772d5005ce0147a3b2fdbfbaab7aa1614f89df31d3082f16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
e8c1f6d545bcd637e0eef0c3f97468e8

SHA1
cdb96e70b84587514887a800a58e082feb1b1619

SHA256
6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c

SHA512
aff0ff0b9a4e696e4346d058e00837654661e6b95a2c2b2712f8352f2e09a8a2f0449a1d3b465f84772d5005ce0147a3b2fdbfbaab7aa1614f89df31d3082f16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
e8c1f6d545bcd637e0eef0c3f97468e8

SHA1
cdb96e70b84587514887a800a58e082feb1b1619

SHA256
6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c

SHA512
aff0ff0b9a4e696e4346d058e00837654661e6b95a2c2b2712f8352f2e09a8a2f0449a1d3b465f84772d5005ce0147a3b2fdbfbaab7aa1614f89df31d3082f16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
e8c1f6d545bcd637e0eef0c3f97468e8

SHA1
cdb96e70b84587514887a800a58e082feb1b1619

SHA256
6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c

SHA512
aff0ff0b9a4e696e4346d058e00837654661e6b95a2c2b2712f8352f2e09a8a2f0449a1d3b465f84772d5005ce0147a3b2fdbfbaab7aa1614f89df31d3082f16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
e8c1f6d545bcd637e0eef0c3f97468e8

SHA1
cdb96e70b84587514887a800a58e082feb1b1619

SHA256
6e4a96f27ddf00cec781deec00d72e9870f2a79ce9e162380dc3b0863882182c

SHA512
aff0ff0b9a4e696e4346d058e00837654661e6b95a2c2b2712f8352f2e09a8a2f0449a1d3b465f84772d5005ce0147a3b2fdbfbaab7aa1614f89df31d3082f16

Download Submit
memory/2436-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2436-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2436-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4956-132-0x00000000001F0000-0x0000000000246000-memory.dmp

Filesize
344KB

Download
memory/4956-136-0x0000000004D20000-0x0000000004D3E000-memory.dmp

Filesize
120KB

Download
memory/4956-135-0x0000000007730000-0x00000000077A6000-memory.dmp

Filesize
472KB

Download
memory/4956-134-0x0000000007200000-0x0000000007292000-memory.dmp

Filesize
584KB

Download
memory/4956-133-0x00000000077B0000-0x0000000007D54000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads