Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 10:41
Static task
static1
Behavioral task
behavioral1
Sample
6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe
Resource
win10v2004-20220812-en
General
-
Target
6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe
-
Size
324KB
-
MD5
edf0c3284fba2f60afbcc785e9f0d28b
-
SHA1
cc0f0cfc9b8bddb36dac3eea215e67497f9bed8a
-
SHA256
6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55
-
SHA512
f1e774f4e01b02f9823aee64c22ddc7b4c0c1cba1c6059c983bb853dbc82f6371bafe7173ead029929c0529fc34b72ca5648aa21706a11ce6b9b176ea5d33589
-
SSDEEP
6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 3900 oobeldr.exe 3592 oobeldr.exe 4460 oobeldr.exe 2148 oobeldr.exe 1368 oobeldr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5060 set thread context of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 3900 set thread context of 3592 3900 oobeldr.exe 91 PID 4460 set thread context of 2148 4460 oobeldr.exe 95 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2680 schtasks.exe 1496 schtasks.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 5060 wrote to memory of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 5060 wrote to memory of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 5060 wrote to memory of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 5060 wrote to memory of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 5060 wrote to memory of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 5060 wrote to memory of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 5060 wrote to memory of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 5060 wrote to memory of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 5060 wrote to memory of 4892 5060 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 80 PID 4892 wrote to memory of 1496 4892 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 84 PID 4892 wrote to memory of 1496 4892 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 84 PID 4892 wrote to memory of 1496 4892 6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe 84 PID 3900 wrote to memory of 3592 3900 oobeldr.exe 91 PID 3900 wrote to memory of 3592 3900 oobeldr.exe 91 PID 3900 wrote to memory of 3592 3900 oobeldr.exe 91 PID 3900 wrote to memory of 3592 3900 oobeldr.exe 91 PID 3900 wrote to memory of 3592 3900 oobeldr.exe 91 PID 3900 wrote to memory of 3592 3900 oobeldr.exe 91 PID 3900 wrote to memory of 3592 3900 oobeldr.exe 91 PID 3900 wrote to memory of 3592 3900 oobeldr.exe 91 PID 3900 wrote to memory of 3592 3900 oobeldr.exe 91 PID 3592 wrote to memory of 2680 3592 oobeldr.exe 93 PID 3592 wrote to memory of 2680 3592 oobeldr.exe 93 PID 3592 wrote to memory of 2680 3592 oobeldr.exe 93 PID 4460 wrote to memory of 2148 4460 oobeldr.exe 95 PID 4460 wrote to memory of 2148 4460 oobeldr.exe 95 PID 4460 wrote to memory of 2148 4460 oobeldr.exe 95 PID 4460 wrote to memory of 2148 4460 oobeldr.exe 95 PID 4460 wrote to memory of 2148 4460 oobeldr.exe 95 PID 4460 wrote to memory of 2148 4460 oobeldr.exe 95 PID 4460 wrote to memory of 2148 4460 oobeldr.exe 95 PID 4460 wrote to memory of 2148 4460 oobeldr.exe 95 PID 4460 wrote to memory of 2148 4460 oobeldr.exe 95 PID 1368 wrote to memory of 1148 1368 oobeldr.exe 97 PID 1368 wrote to memory of 1148 1368 oobeldr.exe 97 PID 1368 wrote to memory of 1148 1368 oobeldr.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe"C:\Users\Admin\AppData\Local\Temp\6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exeC:\Users\Admin\AppData\Local\Temp\6251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:1496
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:2680
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:2148
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵PID:1148
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789B
MD503d2df1e8834bc4ec1756735429b458c
SHA14ee6c0f5b04c8e0c5076219c5724032daab11d40
SHA256745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631
SHA5122482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b
-
Filesize
324KB
MD5edf0c3284fba2f60afbcc785e9f0d28b
SHA1cc0f0cfc9b8bddb36dac3eea215e67497f9bed8a
SHA2566251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55
SHA512f1e774f4e01b02f9823aee64c22ddc7b4c0c1cba1c6059c983bb853dbc82f6371bafe7173ead029929c0529fc34b72ca5648aa21706a11ce6b9b176ea5d33589
-
Filesize
324KB
MD5edf0c3284fba2f60afbcc785e9f0d28b
SHA1cc0f0cfc9b8bddb36dac3eea215e67497f9bed8a
SHA2566251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55
SHA512f1e774f4e01b02f9823aee64c22ddc7b4c0c1cba1c6059c983bb853dbc82f6371bafe7173ead029929c0529fc34b72ca5648aa21706a11ce6b9b176ea5d33589
-
Filesize
324KB
MD5edf0c3284fba2f60afbcc785e9f0d28b
SHA1cc0f0cfc9b8bddb36dac3eea215e67497f9bed8a
SHA2566251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55
SHA512f1e774f4e01b02f9823aee64c22ddc7b4c0c1cba1c6059c983bb853dbc82f6371bafe7173ead029929c0529fc34b72ca5648aa21706a11ce6b9b176ea5d33589
-
Filesize
324KB
MD5edf0c3284fba2f60afbcc785e9f0d28b
SHA1cc0f0cfc9b8bddb36dac3eea215e67497f9bed8a
SHA2566251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55
SHA512f1e774f4e01b02f9823aee64c22ddc7b4c0c1cba1c6059c983bb853dbc82f6371bafe7173ead029929c0529fc34b72ca5648aa21706a11ce6b9b176ea5d33589
-
Filesize
324KB
MD5edf0c3284fba2f60afbcc785e9f0d28b
SHA1cc0f0cfc9b8bddb36dac3eea215e67497f9bed8a
SHA2566251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55
SHA512f1e774f4e01b02f9823aee64c22ddc7b4c0c1cba1c6059c983bb853dbc82f6371bafe7173ead029929c0529fc34b72ca5648aa21706a11ce6b9b176ea5d33589
-
Filesize
324KB
MD5edf0c3284fba2f60afbcc785e9f0d28b
SHA1cc0f0cfc9b8bddb36dac3eea215e67497f9bed8a
SHA2566251ce1ffa17e8a6079b985092fa3617d5e6b27d663970895a7041fea2537e55
SHA512f1e774f4e01b02f9823aee64c22ddc7b4c0c1cba1c6059c983bb853dbc82f6371bafe7173ead029929c0529fc34b72ca5648aa21706a11ce6b9b176ea5d33589