Analysis Overview
SHA256
0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c
Threat Level: Likely malicious
The file 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c was found to be: Likely malicious.
Malicious Activity Summary
Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 10:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 10:38
Reported
2022-11-01 10:41
Platform
win10v2004-20220812-en
Max time kernel
146s
Max time network
2s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2228 set thread context of 3012 | N/A | C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe | C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe |
| PID 1660 set thread context of 4376 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
| PID 4564 set thread context of 968 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
| PID 1508 set thread context of 3632 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
"C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe"
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
C:\Users\Admin\AppData\Local\Temp\0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Network
Files
memory/2228-132-0x00000000003B0000-0x0000000000406000-memory.dmp
memory/2228-133-0x00000000078F0000-0x0000000007E94000-memory.dmp
memory/2228-134-0x00000000073E0000-0x0000000007472000-memory.dmp
memory/2228-135-0x0000000007680000-0x00000000076F6000-memory.dmp
memory/2228-136-0x0000000004EF0000-0x0000000004F0E000-memory.dmp
memory/3012-137-0x0000000000000000-mapping.dmp
memory/3012-138-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3012-140-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4424-141-0x0000000000000000-mapping.dmp
memory/3012-142-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | f5b0148d49db022b84914449b13eadf9 |
| SHA1 | 43216de735c43209ed75eefbd8875d5c7f8b833f |
| SHA256 | 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c |
| SHA512 | db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | f5b0148d49db022b84914449b13eadf9 |
| SHA1 | 43216de735c43209ed75eefbd8875d5c7f8b833f |
| SHA256 | 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c |
| SHA512 | db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277 |
memory/4376-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | f5b0148d49db022b84914449b13eadf9 |
| SHA1 | 43216de735c43209ed75eefbd8875d5c7f8b833f |
| SHA256 | 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c |
| SHA512 | db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277 |
memory/736-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | f5b0148d49db022b84914449b13eadf9 |
| SHA1 | 43216de735c43209ed75eefbd8875d5c7f8b833f |
| SHA256 | 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c |
| SHA512 | db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log
| MD5 | 03d2df1e8834bc4ec1756735429b458c |
| SHA1 | 4ee6c0f5b04c8e0c5076219c5724032daab11d40 |
| SHA256 | 745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631 |
| SHA512 | 2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b |
memory/968-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | f5b0148d49db022b84914449b13eadf9 |
| SHA1 | 43216de735c43209ed75eefbd8875d5c7f8b833f |
| SHA256 | 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c |
| SHA512 | db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | f5b0148d49db022b84914449b13eadf9 |
| SHA1 | 43216de735c43209ed75eefbd8875d5c7f8b833f |
| SHA256 | 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c |
| SHA512 | db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277 |
memory/3632-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | f5b0148d49db022b84914449b13eadf9 |
| SHA1 | 43216de735c43209ed75eefbd8875d5c7f8b833f |
| SHA256 | 0bc68c99003a59b6677e3417a1d08ccbe6f8f871e102351848e07596900ca83c |
| SHA512 | db7a67929f900d5baf9ab37cc011101d03884c3d2986703621055f8a957eed00a23079e9e0bc90dbd050edad160052d62ce531057f223eefb934f66c73b92277 |