c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3

Analysis

max time kernel
101s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe
Size

323KB
MD5

b1d0c2202e24e941a7f617d5acd6df2a
SHA1

bddf8cb3b494013744c2b1ddbdc4388ca9bb6414
SHA256

c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3
SHA512

ddcc8095122b3a4f991ed2b165e0fb4f48c87120521d8c73fc396de42ceb0374e5737b6280e1202b3cbae3865cca01cb91ca77c8c414eac8de6185fd2bcb5e70
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3136	oobeldr.exe
1176	oobeldr.exe
4844	oobeldr.exe
2368	oobeldr.exe
4136	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 3136 set thread context of 1176	3136	oobeldr.exe	90
PID 4844 set thread context of 4136	4844	oobeldr.exe	95

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
212	schtasks.exe
5020	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 4460 wrote to memory of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 4460 wrote to memory of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 4460 wrote to memory of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 4460 wrote to memory of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 4460 wrote to memory of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 4460 wrote to memory of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 4460 wrote to memory of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 4460 wrote to memory of 2316	4460	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	79
PID 2316 wrote to memory of 5020	2316	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	82
PID 2316 wrote to memory of 5020	2316	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	82
PID 2316 wrote to memory of 5020	2316	c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe	82
PID 3136 wrote to memory of 1176	3136	oobeldr.exe	90
PID 3136 wrote to memory of 1176	3136	oobeldr.exe	90
PID 3136 wrote to memory of 1176	3136	oobeldr.exe	90
PID 3136 wrote to memory of 1176	3136	oobeldr.exe	90
PID 3136 wrote to memory of 1176	3136	oobeldr.exe	90
PID 3136 wrote to memory of 1176	3136	oobeldr.exe	90
PID 3136 wrote to memory of 1176	3136	oobeldr.exe	90
PID 3136 wrote to memory of 1176	3136	oobeldr.exe	90
PID 3136 wrote to memory of 1176	3136	oobeldr.exe	90
PID 1176 wrote to memory of 212	1176	oobeldr.exe	91
PID 1176 wrote to memory of 212	1176	oobeldr.exe	91
PID 1176 wrote to memory of 212	1176	oobeldr.exe	91
PID 4844 wrote to memory of 2368	4844	oobeldr.exe	94
PID 4844 wrote to memory of 2368	4844	oobeldr.exe	94
PID 4844 wrote to memory of 2368	4844	oobeldr.exe	94
PID 4844 wrote to memory of 4136	4844	oobeldr.exe	95
PID 4844 wrote to memory of 4136	4844	oobeldr.exe	95
PID 4844 wrote to memory of 4136	4844	oobeldr.exe	95
PID 4844 wrote to memory of 4136	4844	oobeldr.exe	95
PID 4844 wrote to memory of 4136	4844	oobeldr.exe	95
PID 4844 wrote to memory of 4136	4844	oobeldr.exe	95
PID 4844 wrote to memory of 4136	4844	oobeldr.exe	95
PID 4844 wrote to memory of 4136	4844	oobeldr.exe	95
PID 4844 wrote to memory of 4136	4844	oobeldr.exe	95

C:\Users\Admin\AppData\Local\Temp\c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe
"C:\Users\Admin\AppData\Local\Temp\c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe
  C:\Users\Admin\AppData\Local\Temp\c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5020

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:212

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
b1d0c2202e24e941a7f617d5acd6df2a

SHA1
bddf8cb3b494013744c2b1ddbdc4388ca9bb6414

SHA256
c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3

SHA512
ddcc8095122b3a4f991ed2b165e0fb4f48c87120521d8c73fc396de42ceb0374e5737b6280e1202b3cbae3865cca01cb91ca77c8c414eac8de6185fd2bcb5e70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
b1d0c2202e24e941a7f617d5acd6df2a

SHA1
bddf8cb3b494013744c2b1ddbdc4388ca9bb6414

SHA256
c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3

SHA512
ddcc8095122b3a4f991ed2b165e0fb4f48c87120521d8c73fc396de42ceb0374e5737b6280e1202b3cbae3865cca01cb91ca77c8c414eac8de6185fd2bcb5e70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
b1d0c2202e24e941a7f617d5acd6df2a

SHA1
bddf8cb3b494013744c2b1ddbdc4388ca9bb6414

SHA256
c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3

SHA512
ddcc8095122b3a4f991ed2b165e0fb4f48c87120521d8c73fc396de42ceb0374e5737b6280e1202b3cbae3865cca01cb91ca77c8c414eac8de6185fd2bcb5e70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
b1d0c2202e24e941a7f617d5acd6df2a

SHA1
bddf8cb3b494013744c2b1ddbdc4388ca9bb6414

SHA256
c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3

SHA512
ddcc8095122b3a4f991ed2b165e0fb4f48c87120521d8c73fc396de42ceb0374e5737b6280e1202b3cbae3865cca01cb91ca77c8c414eac8de6185fd2bcb5e70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
b1d0c2202e24e941a7f617d5acd6df2a

SHA1
bddf8cb3b494013744c2b1ddbdc4388ca9bb6414

SHA256
c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3

SHA512
ddcc8095122b3a4f991ed2b165e0fb4f48c87120521d8c73fc396de42ceb0374e5737b6280e1202b3cbae3865cca01cb91ca77c8c414eac8de6185fd2bcb5e70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
b1d0c2202e24e941a7f617d5acd6df2a

SHA1
bddf8cb3b494013744c2b1ddbdc4388ca9bb6414

SHA256
c263d2c372289af8d01d92b2a33218c54553acfb0dbc5d9c176e10154b15e5b3

SHA512
ddcc8095122b3a4f991ed2b165e0fb4f48c87120521d8c73fc396de42ceb0374e5737b6280e1202b3cbae3865cca01cb91ca77c8c414eac8de6185fd2bcb5e70

Download Submit
memory/2316-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2316-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2316-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4460-135-0x0000000007AB0000-0x0000000007B26000-memory.dmp

Filesize
472KB

Download
memory/4460-132-0x00000000007D0000-0x0000000000826000-memory.dmp

Filesize
344KB

Download
memory/4460-133-0x0000000007C60000-0x0000000008204000-memory.dmp

Filesize
5.6MB

Download
memory/4460-134-0x0000000007790000-0x0000000007822000-memory.dmp

Filesize
584KB

Download
memory/4460-136-0x0000000007760000-0x000000000777E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads