Analysis
-
max time kernel
147s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 10:39
Static task
static1
Behavioral task
behavioral1
Sample
8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe
Resource
win10v2004-20220901-en
General
-
Target
8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe
-
Size
324KB
-
MD5
e9c4eda8a656302af98881c464a6a39f
-
SHA1
bfb80be1bd20498f7c379cf36194bfd6fea6b815
-
SHA256
8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed
-
SHA512
69b8f2880815d8dcd43e2e85b56a8e85845ffe0ae5a53855c56174c7c9286c55d93f9f887a9fe892029d747882d035f43e0982e24e7a72dfb5e0d1c76f5e32a0
-
SSDEEP
6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 3764 oobeldr.exe 3856 oobeldr.exe 4040 oobeldr.exe 4472 oobeldr.exe 2144 oobeldr.exe 4128 oobeldr.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1608 set thread context of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 3764 set thread context of 3856 3764 oobeldr.exe 90 PID 4040 set thread context of 4472 4040 oobeldr.exe 95 PID 2144 set thread context of 4128 2144 oobeldr.exe 97 -
Program crash 1 IoCs
pid pid_target Process procid_target 4948 4128 WerFault.exe 97 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3428 schtasks.exe 4164 schtasks.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1608 wrote to memory of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 1608 wrote to memory of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 1608 wrote to memory of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 1608 wrote to memory of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 1608 wrote to memory of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 1608 wrote to memory of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 1608 wrote to memory of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 1608 wrote to memory of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 1608 wrote to memory of 4800 1608 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 80 PID 4800 wrote to memory of 3428 4800 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 84 PID 4800 wrote to memory of 3428 4800 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 84 PID 4800 wrote to memory of 3428 4800 8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe 84 PID 3764 wrote to memory of 3856 3764 oobeldr.exe 90 PID 3764 wrote to memory of 3856 3764 oobeldr.exe 90 PID 3764 wrote to memory of 3856 3764 oobeldr.exe 90 PID 3764 wrote to memory of 3856 3764 oobeldr.exe 90 PID 3764 wrote to memory of 3856 3764 oobeldr.exe 90 PID 3764 wrote to memory of 3856 3764 oobeldr.exe 90 PID 3764 wrote to memory of 3856 3764 oobeldr.exe 90 PID 3764 wrote to memory of 3856 3764 oobeldr.exe 90 PID 3764 wrote to memory of 3856 3764 oobeldr.exe 90 PID 3856 wrote to memory of 4164 3856 oobeldr.exe 91 PID 3856 wrote to memory of 4164 3856 oobeldr.exe 91 PID 3856 wrote to memory of 4164 3856 oobeldr.exe 91 PID 4040 wrote to memory of 4472 4040 oobeldr.exe 95 PID 4040 wrote to memory of 4472 4040 oobeldr.exe 95 PID 4040 wrote to memory of 4472 4040 oobeldr.exe 95 PID 4040 wrote to memory of 4472 4040 oobeldr.exe 95 PID 4040 wrote to memory of 4472 4040 oobeldr.exe 95 PID 4040 wrote to memory of 4472 4040 oobeldr.exe 95 PID 4040 wrote to memory of 4472 4040 oobeldr.exe 95 PID 4040 wrote to memory of 4472 4040 oobeldr.exe 95 PID 4040 wrote to memory of 4472 4040 oobeldr.exe 95 PID 2144 wrote to memory of 4128 2144 oobeldr.exe 97 PID 2144 wrote to memory of 4128 2144 oobeldr.exe 97 PID 2144 wrote to memory of 4128 2144 oobeldr.exe 97 PID 2144 wrote to memory of 4128 2144 oobeldr.exe 97 PID 2144 wrote to memory of 4128 2144 oobeldr.exe 97 PID 2144 wrote to memory of 4128 2144 oobeldr.exe 97 PID 2144 wrote to memory of 4128 2144 oobeldr.exe 97 PID 2144 wrote to memory of 4128 2144 oobeldr.exe 97 PID 2144 wrote to memory of 4128 2144 oobeldr.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe"C:\Users\Admin\AppData\Local\Temp\8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exeC:\Users\Admin\AppData\Local\Temp\8689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:3428
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:4164
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:4472
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 123⤵
- Program crash
PID:4948
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4128 -ip 41281⤵PID:3012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789B
MD503d2df1e8834bc4ec1756735429b458c
SHA14ee6c0f5b04c8e0c5076219c5724032daab11d40
SHA256745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631
SHA5122482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b
-
Filesize
324KB
MD5e9c4eda8a656302af98881c464a6a39f
SHA1bfb80be1bd20498f7c379cf36194bfd6fea6b815
SHA2568689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed
SHA51269b8f2880815d8dcd43e2e85b56a8e85845ffe0ae5a53855c56174c7c9286c55d93f9f887a9fe892029d747882d035f43e0982e24e7a72dfb5e0d1c76f5e32a0
-
Filesize
324KB
MD5e9c4eda8a656302af98881c464a6a39f
SHA1bfb80be1bd20498f7c379cf36194bfd6fea6b815
SHA2568689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed
SHA51269b8f2880815d8dcd43e2e85b56a8e85845ffe0ae5a53855c56174c7c9286c55d93f9f887a9fe892029d747882d035f43e0982e24e7a72dfb5e0d1c76f5e32a0
-
Filesize
324KB
MD5e9c4eda8a656302af98881c464a6a39f
SHA1bfb80be1bd20498f7c379cf36194bfd6fea6b815
SHA2568689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed
SHA51269b8f2880815d8dcd43e2e85b56a8e85845ffe0ae5a53855c56174c7c9286c55d93f9f887a9fe892029d747882d035f43e0982e24e7a72dfb5e0d1c76f5e32a0
-
Filesize
324KB
MD5e9c4eda8a656302af98881c464a6a39f
SHA1bfb80be1bd20498f7c379cf36194bfd6fea6b815
SHA2568689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed
SHA51269b8f2880815d8dcd43e2e85b56a8e85845ffe0ae5a53855c56174c7c9286c55d93f9f887a9fe892029d747882d035f43e0982e24e7a72dfb5e0d1c76f5e32a0
-
Filesize
324KB
MD5e9c4eda8a656302af98881c464a6a39f
SHA1bfb80be1bd20498f7c379cf36194bfd6fea6b815
SHA2568689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed
SHA51269b8f2880815d8dcd43e2e85b56a8e85845ffe0ae5a53855c56174c7c9286c55d93f9f887a9fe892029d747882d035f43e0982e24e7a72dfb5e0d1c76f5e32a0
-
Filesize
324KB
MD5e9c4eda8a656302af98881c464a6a39f
SHA1bfb80be1bd20498f7c379cf36194bfd6fea6b815
SHA2568689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed
SHA51269b8f2880815d8dcd43e2e85b56a8e85845ffe0ae5a53855c56174c7c9286c55d93f9f887a9fe892029d747882d035f43e0982e24e7a72dfb5e0d1c76f5e32a0
-
Filesize
324KB
MD5e9c4eda8a656302af98881c464a6a39f
SHA1bfb80be1bd20498f7c379cf36194bfd6fea6b815
SHA2568689f44a5a5e362b122c6f742f18ab8f7eadc2f23ebdb664f629aded1b18e3ed
SHA51269b8f2880815d8dcd43e2e85b56a8e85845ffe0ae5a53855c56174c7c9286c55d93f9f887a9fe892029d747882d035f43e0982e24e7a72dfb5e0d1c76f5e32a0