743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf

Analysis

max time kernel
158s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe
Size

323KB
MD5

011f80185561a016d2d671c3ee21ae46
SHA1

099eccf755c200c4d027aed075088307fb250f81
SHA256

743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf
SHA512

fbc16ae916a6df53b5256fefa29a079f8732e28279fe4cf4076f67fb4475f76c5ee11d6eb2ae32ae4cbe14ea0d2418ab8fb509f8c22b42b3f8597a5cf81eb703
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2636	oobeldr.exe
3732	oobeldr.exe
2300	oobeldr.exe
2572	oobeldr.exe
4592	oobeldr.exe
4144	oobeldr.exe
3104	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 2636 set thread context of 3732	2636	oobeldr.exe	93
PID 2300 set thread context of 2572	2300	oobeldr.exe	97
PID 4592 set thread context of 3104	4592	oobeldr.exe	100

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1000	schtasks.exe
1272	schtasks.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4596	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	80
PID 4944 wrote to memory of 4596	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	80
PID 4944 wrote to memory of 4596	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	80
PID 4944 wrote to memory of 4332	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	81
PID 4944 wrote to memory of 4332	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	81
PID 4944 wrote to memory of 4332	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	81
PID 4944 wrote to memory of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 4944 wrote to memory of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 4944 wrote to memory of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 4944 wrote to memory of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 4944 wrote to memory of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 4944 wrote to memory of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 4944 wrote to memory of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 4944 wrote to memory of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 4944 wrote to memory of 3620	4944	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	82
PID 3620 wrote to memory of 1000	3620	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	83
PID 3620 wrote to memory of 1000	3620	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	83
PID 3620 wrote to memory of 1000	3620	743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe	83
PID 2636 wrote to memory of 3732	2636	oobeldr.exe	93
PID 2636 wrote to memory of 3732	2636	oobeldr.exe	93
PID 2636 wrote to memory of 3732	2636	oobeldr.exe	93
PID 2636 wrote to memory of 3732	2636	oobeldr.exe	93
PID 2636 wrote to memory of 3732	2636	oobeldr.exe	93
PID 2636 wrote to memory of 3732	2636	oobeldr.exe	93
PID 2636 wrote to memory of 3732	2636	oobeldr.exe	93
PID 2636 wrote to memory of 3732	2636	oobeldr.exe	93
PID 2636 wrote to memory of 3732	2636	oobeldr.exe	93
PID 3732 wrote to memory of 1272	3732	oobeldr.exe	94
PID 3732 wrote to memory of 1272	3732	oobeldr.exe	94
PID 3732 wrote to memory of 1272	3732	oobeldr.exe	94
PID 2300 wrote to memory of 2572	2300	oobeldr.exe	97
PID 2300 wrote to memory of 2572	2300	oobeldr.exe	97
PID 2300 wrote to memory of 2572	2300	oobeldr.exe	97
PID 2300 wrote to memory of 2572	2300	oobeldr.exe	97
PID 2300 wrote to memory of 2572	2300	oobeldr.exe	97
PID 2300 wrote to memory of 2572	2300	oobeldr.exe	97
PID 2300 wrote to memory of 2572	2300	oobeldr.exe	97
PID 2300 wrote to memory of 2572	2300	oobeldr.exe	97
PID 2300 wrote to memory of 2572	2300	oobeldr.exe	97
PID 4592 wrote to memory of 4144	4592	oobeldr.exe	99
PID 4592 wrote to memory of 4144	4592	oobeldr.exe	99
PID 4592 wrote to memory of 4144	4592	oobeldr.exe	99
PID 4592 wrote to memory of 3104	4592	oobeldr.exe	100
PID 4592 wrote to memory of 3104	4592	oobeldr.exe	100
PID 4592 wrote to memory of 3104	4592	oobeldr.exe	100
PID 4592 wrote to memory of 3104	4592	oobeldr.exe	100
PID 4592 wrote to memory of 3104	4592	oobeldr.exe	100
PID 4592 wrote to memory of 3104	4592	oobeldr.exe	100
PID 4592 wrote to memory of 3104	4592	oobeldr.exe	100
PID 4592 wrote to memory of 3104	4592	oobeldr.exe	100
PID 4592 wrote to memory of 3104	4592	oobeldr.exe	100

C:\Users\Admin\AppData\Local\Temp\743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe
"C:\Users\Admin\AppData\Local\Temp\743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe
  C:\Users\Admin\AppData\Local\Temp\743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe
  2⤵
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe
  C:\Users\Admin\AppData\Local\Temp\743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe
  2⤵
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe
  C:\Users\Admin\AppData\Local\Temp\743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1000

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1272

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2572

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
011f80185561a016d2d671c3ee21ae46

SHA1
099eccf755c200c4d027aed075088307fb250f81

SHA256
743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf

SHA512
fbc16ae916a6df53b5256fefa29a079f8732e28279fe4cf4076f67fb4475f76c5ee11d6eb2ae32ae4cbe14ea0d2418ab8fb509f8c22b42b3f8597a5cf81eb703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
011f80185561a016d2d671c3ee21ae46

SHA1
099eccf755c200c4d027aed075088307fb250f81

SHA256
743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf

SHA512
fbc16ae916a6df53b5256fefa29a079f8732e28279fe4cf4076f67fb4475f76c5ee11d6eb2ae32ae4cbe14ea0d2418ab8fb509f8c22b42b3f8597a5cf81eb703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
011f80185561a016d2d671c3ee21ae46

SHA1
099eccf755c200c4d027aed075088307fb250f81

SHA256
743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf

SHA512
fbc16ae916a6df53b5256fefa29a079f8732e28279fe4cf4076f67fb4475f76c5ee11d6eb2ae32ae4cbe14ea0d2418ab8fb509f8c22b42b3f8597a5cf81eb703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
011f80185561a016d2d671c3ee21ae46

SHA1
099eccf755c200c4d027aed075088307fb250f81

SHA256
743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf

SHA512
fbc16ae916a6df53b5256fefa29a079f8732e28279fe4cf4076f67fb4475f76c5ee11d6eb2ae32ae4cbe14ea0d2418ab8fb509f8c22b42b3f8597a5cf81eb703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
011f80185561a016d2d671c3ee21ae46

SHA1
099eccf755c200c4d027aed075088307fb250f81

SHA256
743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf

SHA512
fbc16ae916a6df53b5256fefa29a079f8732e28279fe4cf4076f67fb4475f76c5ee11d6eb2ae32ae4cbe14ea0d2418ab8fb509f8c22b42b3f8597a5cf81eb703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
011f80185561a016d2d671c3ee21ae46

SHA1
099eccf755c200c4d027aed075088307fb250f81

SHA256
743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf

SHA512
fbc16ae916a6df53b5256fefa29a079f8732e28279fe4cf4076f67fb4475f76c5ee11d6eb2ae32ae4cbe14ea0d2418ab8fb509f8c22b42b3f8597a5cf81eb703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
011f80185561a016d2d671c3ee21ae46

SHA1
099eccf755c200c4d027aed075088307fb250f81

SHA256
743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf

SHA512
fbc16ae916a6df53b5256fefa29a079f8732e28279fe4cf4076f67fb4475f76c5ee11d6eb2ae32ae4cbe14ea0d2418ab8fb509f8c22b42b3f8597a5cf81eb703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
011f80185561a016d2d671c3ee21ae46

SHA1
099eccf755c200c4d027aed075088307fb250f81

SHA256
743daaece59550e1d13efccc3ce87557ccaa7870081ebcb72f5b4fdae03a0edf

SHA512
fbc16ae916a6df53b5256fefa29a079f8732e28279fe4cf4076f67fb4475f76c5ee11d6eb2ae32ae4cbe14ea0d2418ab8fb509f8c22b42b3f8597a5cf81eb703

Download Submit
memory/3620-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3620-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3620-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4944-134-0x0000000007E10000-0x0000000007EA2000-memory.dmp

Filesize
584KB

Download
memory/4944-132-0x0000000000E20000-0x0000000000E76000-memory.dmp

Filesize
344KB

Download
memory/4944-133-0x0000000008320000-0x00000000088C4000-memory.dmp

Filesize
5.6MB

Download
memory/4944-135-0x00000000080B0000-0x0000000008126000-memory.dmp

Filesize
472KB

Download
memory/4944-136-0x0000000005950000-0x000000000596E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads