ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4

Analysis

max time kernel
150s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2022 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe
Size

323KB
MD5

7449615c776263da25c3ee48d48db5b0
SHA1

1455c63425211411bebe6cab96c4a9d51a617972
SHA256

ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4
SHA512

58ea172dd9bff2ad68b1fe951a4ab9071c3d45ec3e1b14e4ff4f8a20a29bf17410df7666bf4329b39861a3448484eee6b0271549b9d9690d0626fdce2db7c045
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4600	oobeldr.exe
4384	oobeldr.exe
4776	oobeldr.exe
2428	oobeldr.exe
884	oobeldr.exe
2000	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2268 set thread context of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 4600 set thread context of 4384	4600	oobeldr.exe	88
PID 4776 set thread context of 2428	4776	oobeldr.exe	96

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1624	schtasks.exe
772	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 912	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	80
PID 2268 wrote to memory of 912	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	80
PID 2268 wrote to memory of 912	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	80
PID 2268 wrote to memory of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 2268 wrote to memory of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 2268 wrote to memory of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 2268 wrote to memory of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 2268 wrote to memory of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 2268 wrote to memory of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 2268 wrote to memory of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 2268 wrote to memory of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 2268 wrote to memory of 4772	2268	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	81
PID 4772 wrote to memory of 1624	4772	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	82
PID 4772 wrote to memory of 1624	4772	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	82
PID 4772 wrote to memory of 1624	4772	ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe	82
PID 4600 wrote to memory of 4384	4600	oobeldr.exe	88
PID 4600 wrote to memory of 4384	4600	oobeldr.exe	88
PID 4600 wrote to memory of 4384	4600	oobeldr.exe	88
PID 4600 wrote to memory of 4384	4600	oobeldr.exe	88
PID 4600 wrote to memory of 4384	4600	oobeldr.exe	88
PID 4600 wrote to memory of 4384	4600	oobeldr.exe	88
PID 4600 wrote to memory of 4384	4600	oobeldr.exe	88
PID 4600 wrote to memory of 4384	4600	oobeldr.exe	88
PID 4600 wrote to memory of 4384	4600	oobeldr.exe	88
PID 4384 wrote to memory of 772	4384	oobeldr.exe	92
PID 4384 wrote to memory of 772	4384	oobeldr.exe	92
PID 4384 wrote to memory of 772	4384	oobeldr.exe	92
PID 4776 wrote to memory of 2428	4776	oobeldr.exe	96
PID 4776 wrote to memory of 2428	4776	oobeldr.exe	96
PID 4776 wrote to memory of 2428	4776	oobeldr.exe	96
PID 4776 wrote to memory of 2428	4776	oobeldr.exe	96
PID 4776 wrote to memory of 2428	4776	oobeldr.exe	96
PID 4776 wrote to memory of 2428	4776	oobeldr.exe	96
PID 4776 wrote to memory of 2428	4776	oobeldr.exe	96
PID 4776 wrote to memory of 2428	4776	oobeldr.exe	96
PID 4776 wrote to memory of 2428	4776	oobeldr.exe	96
PID 884 wrote to memory of 2000	884	oobeldr.exe	98
PID 884 wrote to memory of 2000	884	oobeldr.exe	98
PID 884 wrote to memory of 2000	884	oobeldr.exe	98
PID 884 wrote to memory of 1496	884	oobeldr.exe	99
PID 884 wrote to memory of 1496	884	oobeldr.exe	99
PID 884 wrote to memory of 1496	884	oobeldr.exe	99

C:\Users\Admin\AppData\Local\Temp\ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe
"C:\Users\Admin\AppData\Local\Temp\ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe
  C:\Users\Admin\AppData\Local\Temp\ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe
  2⤵
  PID:912
- C:\Users\Admin\AppData\Local\Temp\ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe
  C:\Users\Admin\AppData\Local\Temp\ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1624

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:772

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2428

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
7449615c776263da25c3ee48d48db5b0

SHA1
1455c63425211411bebe6cab96c4a9d51a617972

SHA256
ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4

SHA512
58ea172dd9bff2ad68b1fe951a4ab9071c3d45ec3e1b14e4ff4f8a20a29bf17410df7666bf4329b39861a3448484eee6b0271549b9d9690d0626fdce2db7c045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
7449615c776263da25c3ee48d48db5b0

SHA1
1455c63425211411bebe6cab96c4a9d51a617972

SHA256
ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4

SHA512
58ea172dd9bff2ad68b1fe951a4ab9071c3d45ec3e1b14e4ff4f8a20a29bf17410df7666bf4329b39861a3448484eee6b0271549b9d9690d0626fdce2db7c045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
7449615c776263da25c3ee48d48db5b0

SHA1
1455c63425211411bebe6cab96c4a9d51a617972

SHA256
ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4

SHA512
58ea172dd9bff2ad68b1fe951a4ab9071c3d45ec3e1b14e4ff4f8a20a29bf17410df7666bf4329b39861a3448484eee6b0271549b9d9690d0626fdce2db7c045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
7449615c776263da25c3ee48d48db5b0

SHA1
1455c63425211411bebe6cab96c4a9d51a617972

SHA256
ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4

SHA512
58ea172dd9bff2ad68b1fe951a4ab9071c3d45ec3e1b14e4ff4f8a20a29bf17410df7666bf4329b39861a3448484eee6b0271549b9d9690d0626fdce2db7c045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
7449615c776263da25c3ee48d48db5b0

SHA1
1455c63425211411bebe6cab96c4a9d51a617972

SHA256
ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4

SHA512
58ea172dd9bff2ad68b1fe951a4ab9071c3d45ec3e1b14e4ff4f8a20a29bf17410df7666bf4329b39861a3448484eee6b0271549b9d9690d0626fdce2db7c045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
7449615c776263da25c3ee48d48db5b0

SHA1
1455c63425211411bebe6cab96c4a9d51a617972

SHA256
ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4

SHA512
58ea172dd9bff2ad68b1fe951a4ab9071c3d45ec3e1b14e4ff4f8a20a29bf17410df7666bf4329b39861a3448484eee6b0271549b9d9690d0626fdce2db7c045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
7449615c776263da25c3ee48d48db5b0

SHA1
1455c63425211411bebe6cab96c4a9d51a617972

SHA256
ddfc22a3ed4dc8e46ce04b1dd35fee94ee94e4a575dd88bcf84f449263ee06f4

SHA512
58ea172dd9bff2ad68b1fe951a4ab9071c3d45ec3e1b14e4ff4f8a20a29bf17410df7666bf4329b39861a3448484eee6b0271549b9d9690d0626fdce2db7c045

Download Submit
memory/772-150-0x0000000000000000-mapping.dmp

Download
memory/1624-141-0x0000000000000000-mapping.dmp

Download
memory/2268-132-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/2268-136-0x00000000077E0000-0x00000000077FE000-memory.dmp

Filesize
120KB

Download
memory/2268-135-0x0000000007860000-0x00000000078D6000-memory.dmp

Filesize
472KB

Download
memory/2268-133-0x0000000007A00000-0x0000000007FA4000-memory.dmp

Filesize
5.6MB

Download
memory/2268-134-0x0000000007540000-0x00000000075D2000-memory.dmp

Filesize
584KB

Download
memory/2428-153-0x0000000000000000-mapping.dmp

Download
memory/4384-145-0x0000000000000000-mapping.dmp

Download
memory/4772-137-0x0000000000000000-mapping.dmp

Download
memory/4772-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4772-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4772-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads