Analysis
-
max time kernel
146s -
max time network
2s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 10:38
Static task
static1
Behavioral task
behavioral1
Sample
0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
Resource
win10v2004-20220812-en
General
-
Target
0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
-
Size
324KB
-
MD5
f5b0148d49db022b84914449b13eadf9
-
SHA1
43216de735c43209ed75eefbd8875d5c7f8b833f
-
SHA256
0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c
-
SHA512
db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277
-
SSDEEP
6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 1660 oobeldr.exe 4376 oobeldr.exe 4564 oobeldr.exe 968 oobeldr.exe 1508 oobeldr.exe 3632 oobeldr.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2228 set thread context of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 1660 set thread context of 4376 1660 oobeldr.exe 82 PID 4564 set thread context of 968 4564 oobeldr.exe 86 PID 1508 set thread context of 3632 1508 oobeldr.exe 88 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4424 schtasks.exe 736 schtasks.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2408 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 75 PID 2228 wrote to memory of 2408 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 75 PID 2228 wrote to memory of 2408 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 75 PID 2228 wrote to memory of 2424 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 76 PID 2228 wrote to memory of 2424 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 76 PID 2228 wrote to memory of 2424 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 76 PID 2228 wrote to memory of 2668 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 77 PID 2228 wrote to memory of 2668 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 77 PID 2228 wrote to memory of 2668 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 77 PID 2228 wrote to memory of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 2228 wrote to memory of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 2228 wrote to memory of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 2228 wrote to memory of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 2228 wrote to memory of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 2228 wrote to memory of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 2228 wrote to memory of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 2228 wrote to memory of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 2228 wrote to memory of 3012 2228 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 78 PID 3012 wrote to memory of 4424 3012 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 79 PID 3012 wrote to memory of 4424 3012 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 79 PID 3012 wrote to memory of 4424 3012 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe 79 PID 1660 wrote to memory of 4376 1660 oobeldr.exe 82 PID 1660 wrote to memory of 4376 1660 oobeldr.exe 82 PID 1660 wrote to memory of 4376 1660 oobeldr.exe 82 PID 1660 wrote to memory of 4376 1660 oobeldr.exe 82 PID 1660 wrote to memory of 4376 1660 oobeldr.exe 82 PID 1660 wrote to memory of 4376 1660 oobeldr.exe 82 PID 1660 wrote to memory of 4376 1660 oobeldr.exe 82 PID 1660 wrote to memory of 4376 1660 oobeldr.exe 82 PID 1660 wrote to memory of 4376 1660 oobeldr.exe 82 PID 4376 wrote to memory of 736 4376 oobeldr.exe 83 PID 4376 wrote to memory of 736 4376 oobeldr.exe 83 PID 4376 wrote to memory of 736 4376 oobeldr.exe 83 PID 4564 wrote to memory of 968 4564 oobeldr.exe 86 PID 4564 wrote to memory of 968 4564 oobeldr.exe 86 PID 4564 wrote to memory of 968 4564 oobeldr.exe 86 PID 4564 wrote to memory of 968 4564 oobeldr.exe 86 PID 4564 wrote to memory of 968 4564 oobeldr.exe 86 PID 4564 wrote to memory of 968 4564 oobeldr.exe 86 PID 4564 wrote to memory of 968 4564 oobeldr.exe 86 PID 4564 wrote to memory of 968 4564 oobeldr.exe 86 PID 4564 wrote to memory of 968 4564 oobeldr.exe 86 PID 1508 wrote to memory of 3632 1508 oobeldr.exe 88 PID 1508 wrote to memory of 3632 1508 oobeldr.exe 88 PID 1508 wrote to memory of 3632 1508 oobeldr.exe 88 PID 1508 wrote to memory of 3632 1508 oobeldr.exe 88 PID 1508 wrote to memory of 3632 1508 oobeldr.exe 88 PID 1508 wrote to memory of 3632 1508 oobeldr.exe 88 PID 1508 wrote to memory of 3632 1508 oobeldr.exe 88 PID 1508 wrote to memory of 3632 1508 oobeldr.exe 88 PID 1508 wrote to memory of 3632 1508 oobeldr.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe"C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exeC:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe2⤵PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exeC:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe2⤵PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exeC:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe2⤵PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exeC:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:4424
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:736
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:968
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:3632
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789B
MD503d2df1e8834bc4ec1756735429b458c
SHA14ee6c0f5b04c8e0c5076219c5724032daab11d40
SHA256745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631
SHA5122482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b
-
Filesize
324KB
MD5f5b0148d49db022b84914449b13eadf9
SHA143216de735c43209ed75eefbd8875d5c7f8b833f
SHA2560bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c
SHA512db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277
-
Filesize
324KB
MD5f5b0148d49db022b84914449b13eadf9
SHA143216de735c43209ed75eefbd8875d5c7f8b833f
SHA2560bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c
SHA512db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277
-
Filesize
324KB
MD5f5b0148d49db022b84914449b13eadf9
SHA143216de735c43209ed75eefbd8875d5c7f8b833f
SHA2560bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c
SHA512db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277
-
Filesize
324KB
MD5f5b0148d49db022b84914449b13eadf9
SHA143216de735c43209ed75eefbd8875d5c7f8b833f
SHA2560bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c
SHA512db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277
-
Filesize
324KB
MD5f5b0148d49db022b84914449b13eadf9
SHA143216de735c43209ed75eefbd8875d5c7f8b833f
SHA2560bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c
SHA512db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277
-
Filesize
324KB
MD5f5b0148d49db022b84914449b13eadf9
SHA143216de735c43209ed75eefbd8875d5c7f8b833f
SHA2560bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c
SHA512db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277
-
Filesize
324KB
MD5f5b0148d49db022b84914449b13eadf9
SHA143216de735c43209ed75eefbd8875d5c7f8b833f
SHA2560bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c
SHA512db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277