eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe
Size

323KB
MD5

4394ca2e004509f917595ba7e79fbb0e
SHA1

41876fd7ad27f2e1add6249da9c81f16b34b4315
SHA256

eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2
SHA512

de86a56657f8f5ca178b501e710d37a576ca0a63d82ddd655c610a94903a8985a6e088d1a61fb2b486f955d54fc7fd71c4afc55d147f9a121e05a86a09edd75a
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1900	oobeldr.exe
1848	oobeldr.exe
3420	oobeldr.exe
836	oobeldr.exe
4728	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4568 set thread context of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 1900 set thread context of 1848	1900	oobeldr.exe	94
PID 3420 set thread context of 4728	3420	oobeldr.exe	99

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4048	schtasks.exe
1888	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 5100	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	81
PID 4568 wrote to memory of 5100	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	81
PID 4568 wrote to memory of 5100	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	81
PID 4568 wrote to memory of 876	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	84
PID 4568 wrote to memory of 876	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	84
PID 4568 wrote to memory of 876	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	84
PID 4568 wrote to memory of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 4568 wrote to memory of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 4568 wrote to memory of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 4568 wrote to memory of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 4568 wrote to memory of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 4568 wrote to memory of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 4568 wrote to memory of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 4568 wrote to memory of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 4568 wrote to memory of 1400	4568	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	86
PID 1400 wrote to memory of 4048	1400	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	89
PID 1400 wrote to memory of 4048	1400	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	89
PID 1400 wrote to memory of 4048	1400	eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe	89
PID 1900 wrote to memory of 1848	1900	oobeldr.exe	94
PID 1900 wrote to memory of 1848	1900	oobeldr.exe	94
PID 1900 wrote to memory of 1848	1900	oobeldr.exe	94
PID 1900 wrote to memory of 1848	1900	oobeldr.exe	94
PID 1900 wrote to memory of 1848	1900	oobeldr.exe	94
PID 1900 wrote to memory of 1848	1900	oobeldr.exe	94
PID 1900 wrote to memory of 1848	1900	oobeldr.exe	94
PID 1900 wrote to memory of 1848	1900	oobeldr.exe	94
PID 1900 wrote to memory of 1848	1900	oobeldr.exe	94
PID 1848 wrote to memory of 1888	1848	oobeldr.exe	95
PID 1848 wrote to memory of 1888	1848	oobeldr.exe	95
PID 1848 wrote to memory of 1888	1848	oobeldr.exe	95
PID 3420 wrote to memory of 836	3420	oobeldr.exe	98
PID 3420 wrote to memory of 836	3420	oobeldr.exe	98
PID 3420 wrote to memory of 836	3420	oobeldr.exe	98
PID 3420 wrote to memory of 4728	3420	oobeldr.exe	99
PID 3420 wrote to memory of 4728	3420	oobeldr.exe	99
PID 3420 wrote to memory of 4728	3420	oobeldr.exe	99
PID 3420 wrote to memory of 4728	3420	oobeldr.exe	99
PID 3420 wrote to memory of 4728	3420	oobeldr.exe	99
PID 3420 wrote to memory of 4728	3420	oobeldr.exe	99
PID 3420 wrote to memory of 4728	3420	oobeldr.exe	99
PID 3420 wrote to memory of 4728	3420	oobeldr.exe	99
PID 3420 wrote to memory of 4728	3420	oobeldr.exe	99

C:\Users\Admin\AppData\Local\Temp\eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe
"C:\Users\Admin\AppData\Local\Temp\eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe
  C:\Users\Admin\AppData\Local\Temp\eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe
  2⤵
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe
  C:\Users\Admin\AppData\Local\Temp\eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe
  2⤵
  PID:876
- C:\Users\Admin\AppData\Local\Temp\eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe
  C:\Users\Admin\AppData\Local\Temp\eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4048

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1888

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
4394ca2e004509f917595ba7e79fbb0e

SHA1
41876fd7ad27f2e1add6249da9c81f16b34b4315

SHA256
eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2

SHA512
de86a56657f8f5ca178b501e710d37a576ca0a63d82ddd655c610a94903a8985a6e088d1a61fb2b486f955d54fc7fd71c4afc55d147f9a121e05a86a09edd75a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
4394ca2e004509f917595ba7e79fbb0e

SHA1
41876fd7ad27f2e1add6249da9c81f16b34b4315

SHA256
eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2

SHA512
de86a56657f8f5ca178b501e710d37a576ca0a63d82ddd655c610a94903a8985a6e088d1a61fb2b486f955d54fc7fd71c4afc55d147f9a121e05a86a09edd75a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
4394ca2e004509f917595ba7e79fbb0e

SHA1
41876fd7ad27f2e1add6249da9c81f16b34b4315

SHA256
eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2

SHA512
de86a56657f8f5ca178b501e710d37a576ca0a63d82ddd655c610a94903a8985a6e088d1a61fb2b486f955d54fc7fd71c4afc55d147f9a121e05a86a09edd75a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
4394ca2e004509f917595ba7e79fbb0e

SHA1
41876fd7ad27f2e1add6249da9c81f16b34b4315

SHA256
eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2

SHA512
de86a56657f8f5ca178b501e710d37a576ca0a63d82ddd655c610a94903a8985a6e088d1a61fb2b486f955d54fc7fd71c4afc55d147f9a121e05a86a09edd75a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
4394ca2e004509f917595ba7e79fbb0e

SHA1
41876fd7ad27f2e1add6249da9c81f16b34b4315

SHA256
eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2

SHA512
de86a56657f8f5ca178b501e710d37a576ca0a63d82ddd655c610a94903a8985a6e088d1a61fb2b486f955d54fc7fd71c4afc55d147f9a121e05a86a09edd75a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
4394ca2e004509f917595ba7e79fbb0e

SHA1
41876fd7ad27f2e1add6249da9c81f16b34b4315

SHA256
eea30f9d46cd3ec68f2cecfc74dc013e3a5a0f08dd1643755c406e6c821909a2

SHA512
de86a56657f8f5ca178b501e710d37a576ca0a63d82ddd655c610a94903a8985a6e088d1a61fb2b486f955d54fc7fd71c4afc55d147f9a121e05a86a09edd75a

Download Submit
memory/1400-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1400-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1400-141-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4568-134-0x0000000007500000-0x0000000007592000-memory.dmp

Filesize
584KB

Download
memory/4568-135-0x00000000077A0000-0x0000000007816000-memory.dmp

Filesize
472KB

Download
memory/4568-132-0x0000000000540000-0x0000000000596000-memory.dmp

Filesize
344KB

Download
memory/4568-133-0x0000000007A10000-0x0000000007FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4568-136-0x00000000074D0000-0x00000000074EE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads