51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

Analysis

max time kernel
101s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 07:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
Size

323KB
MD5

9ea91ade8d040c71ee4e98ee8916cb08
SHA1

90c5af76ec27c35a727cc64f422d2a01f305c930
SHA256

51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18
SHA512

89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2928	oobeldr.exe
3536	oobeldr.exe
1452	oobeldr.exe
2040	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 2928 set thread context of 3536	2928	oobeldr.exe	95
PID 1452 set thread context of 2040	1452	oobeldr.exe	99

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2172	schtasks.exe
1180	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1488	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	83
PID 5072 wrote to memory of 1488	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	83
PID 5072 wrote to memory of 1488	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	83
PID 5072 wrote to memory of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 5072 wrote to memory of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 5072 wrote to memory of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 5072 wrote to memory of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 5072 wrote to memory of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 5072 wrote to memory of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 5072 wrote to memory of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 5072 wrote to memory of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 5072 wrote to memory of 1408	5072	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	84
PID 1408 wrote to memory of 2172	1408	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	85
PID 1408 wrote to memory of 2172	1408	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	85
PID 1408 wrote to memory of 2172	1408	51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe	85
PID 2928 wrote to memory of 3536	2928	oobeldr.exe	95
PID 2928 wrote to memory of 3536	2928	oobeldr.exe	95
PID 2928 wrote to memory of 3536	2928	oobeldr.exe	95
PID 2928 wrote to memory of 3536	2928	oobeldr.exe	95
PID 2928 wrote to memory of 3536	2928	oobeldr.exe	95
PID 2928 wrote to memory of 3536	2928	oobeldr.exe	95
PID 2928 wrote to memory of 3536	2928	oobeldr.exe	95
PID 2928 wrote to memory of 3536	2928	oobeldr.exe	95
PID 2928 wrote to memory of 3536	2928	oobeldr.exe	95
PID 3536 wrote to memory of 1180	3536	oobeldr.exe	96
PID 3536 wrote to memory of 1180	3536	oobeldr.exe	96
PID 3536 wrote to memory of 1180	3536	oobeldr.exe	96
PID 1452 wrote to memory of 2040	1452	oobeldr.exe	99
PID 1452 wrote to memory of 2040	1452	oobeldr.exe	99
PID 1452 wrote to memory of 2040	1452	oobeldr.exe	99
PID 1452 wrote to memory of 2040	1452	oobeldr.exe	99
PID 1452 wrote to memory of 2040	1452	oobeldr.exe	99
PID 1452 wrote to memory of 2040	1452	oobeldr.exe	99
PID 1452 wrote to memory of 2040	1452	oobeldr.exe	99
PID 1452 wrote to memory of 2040	1452	oobeldr.exe	99
PID 1452 wrote to memory of 2040	1452	oobeldr.exe	99

C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
"C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
  C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
  2⤵
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
  C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2172

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1180

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
9ea91ade8d040c71ee4e98ee8916cb08

SHA1
90c5af76ec27c35a727cc64f422d2a01f305c930

SHA256
51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

SHA512
89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
9ea91ade8d040c71ee4e98ee8916cb08

SHA1
90c5af76ec27c35a727cc64f422d2a01f305c930

SHA256
51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

SHA512
89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
9ea91ade8d040c71ee4e98ee8916cb08

SHA1
90c5af76ec27c35a727cc64f422d2a01f305c930

SHA256
51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

SHA512
89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
9ea91ade8d040c71ee4e98ee8916cb08

SHA1
90c5af76ec27c35a727cc64f422d2a01f305c930

SHA256
51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

SHA512
89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
9ea91ade8d040c71ee4e98ee8916cb08

SHA1
90c5af76ec27c35a727cc64f422d2a01f305c930

SHA256
51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

SHA512
89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

Download Submit
memory/1408-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1408-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1408-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5072-132-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/5072-136-0x00000000054F0000-0x000000000550E000-memory.dmp

Filesize
120KB

Download
memory/5072-135-0x0000000007DE0000-0x0000000007E56000-memory.dmp

Filesize
472KB

Download
memory/5072-134-0x0000000007B40000-0x0000000007BD2000-memory.dmp

Filesize
584KB

Download
memory/5072-133-0x0000000008050000-0x00000000085F4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads