Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/11/2022, 10:39
Static task
static1
Behavioral task
behavioral1
Sample
68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe
Resource
win10-20220812-en
General
-
Target
68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe
-
Size
324KB
-
MD5
25bdbd567b616c6c8fdb7ea9627b0f1e
-
SHA1
611cfcd1378f21e689872c1bcfe1cc49430735af
-
SHA256
68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9
-
SHA512
636e8318169de906b01c253b7f48b88bd1d631a5491e0c98200559dd0ae2c8bd4a961aa9c895a2625dcfc8daa872a946229282f857f4739117247d7e58d3dcdd
-
SSDEEP
6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3536 oobeldr.exe 4760 oobeldr.exe 4836 oobeldr.exe 4432 oobeldr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2636 set thread context of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 3536 set thread context of 4760 3536 oobeldr.exe 70 PID 4836 set thread context of 4432 4836 oobeldr.exe 74 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1520 schtasks.exe 3900 schtasks.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2636 wrote to memory of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 2636 wrote to memory of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 2636 wrote to memory of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 2636 wrote to memory of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 2636 wrote to memory of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 2636 wrote to memory of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 2636 wrote to memory of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 2636 wrote to memory of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 2636 wrote to memory of 4780 2636 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 66 PID 4780 wrote to memory of 1520 4780 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 67 PID 4780 wrote to memory of 1520 4780 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 67 PID 4780 wrote to memory of 1520 4780 68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe 67 PID 3536 wrote to memory of 4760 3536 oobeldr.exe 70 PID 3536 wrote to memory of 4760 3536 oobeldr.exe 70 PID 3536 wrote to memory of 4760 3536 oobeldr.exe 70 PID 3536 wrote to memory of 4760 3536 oobeldr.exe 70 PID 3536 wrote to memory of 4760 3536 oobeldr.exe 70 PID 3536 wrote to memory of 4760 3536 oobeldr.exe 70 PID 3536 wrote to memory of 4760 3536 oobeldr.exe 70 PID 3536 wrote to memory of 4760 3536 oobeldr.exe 70 PID 3536 wrote to memory of 4760 3536 oobeldr.exe 70 PID 4760 wrote to memory of 3900 4760 oobeldr.exe 71 PID 4760 wrote to memory of 3900 4760 oobeldr.exe 71 PID 4760 wrote to memory of 3900 4760 oobeldr.exe 71 PID 4836 wrote to memory of 4432 4836 oobeldr.exe 74 PID 4836 wrote to memory of 4432 4836 oobeldr.exe 74 PID 4836 wrote to memory of 4432 4836 oobeldr.exe 74 PID 4836 wrote to memory of 4432 4836 oobeldr.exe 74 PID 4836 wrote to memory of 4432 4836 oobeldr.exe 74 PID 4836 wrote to memory of 4432 4836 oobeldr.exe 74 PID 4836 wrote to memory of 4432 4836 oobeldr.exe 74 PID 4836 wrote to memory of 4432 4836 oobeldr.exe 74 PID 4836 wrote to memory of 4432 4836 oobeldr.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe"C:\Users\Admin\AppData\Local\Temp\68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exeC:\Users\Admin\AppData\Local\Temp\68e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:1520
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:3900
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:4432
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789B
MD5db5ef8d7c51bad129d9097bf953e4913
SHA18439db960aa2d431bf5ec3c37af775b45eb07e06
SHA2561248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9
SHA51204572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee
-
Filesize
324KB
MD525bdbd567b616c6c8fdb7ea9627b0f1e
SHA1611cfcd1378f21e689872c1bcfe1cc49430735af
SHA25668e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9
SHA512636e8318169de906b01c253b7f48b88bd1d631a5491e0c98200559dd0ae2c8bd4a961aa9c895a2625dcfc8daa872a946229282f857f4739117247d7e58d3dcdd
-
Filesize
324KB
MD525bdbd567b616c6c8fdb7ea9627b0f1e
SHA1611cfcd1378f21e689872c1bcfe1cc49430735af
SHA25668e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9
SHA512636e8318169de906b01c253b7f48b88bd1d631a5491e0c98200559dd0ae2c8bd4a961aa9c895a2625dcfc8daa872a946229282f857f4739117247d7e58d3dcdd
-
Filesize
324KB
MD525bdbd567b616c6c8fdb7ea9627b0f1e
SHA1611cfcd1378f21e689872c1bcfe1cc49430735af
SHA25668e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9
SHA512636e8318169de906b01c253b7f48b88bd1d631a5491e0c98200559dd0ae2c8bd4a961aa9c895a2625dcfc8daa872a946229282f857f4739117247d7e58d3dcdd
-
Filesize
324KB
MD525bdbd567b616c6c8fdb7ea9627b0f1e
SHA1611cfcd1378f21e689872c1bcfe1cc49430735af
SHA25668e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9
SHA512636e8318169de906b01c253b7f48b88bd1d631a5491e0c98200559dd0ae2c8bd4a961aa9c895a2625dcfc8daa872a946229282f857f4739117247d7e58d3dcdd
-
Filesize
324KB
MD525bdbd567b616c6c8fdb7ea9627b0f1e
SHA1611cfcd1378f21e689872c1bcfe1cc49430735af
SHA25668e3766bd3199b3d518b3d783241c7b0b857e911dec6dfeda19483acebd4d3b9
SHA512636e8318169de906b01c253b7f48b88bd1d631a5491e0c98200559dd0ae2c8bd4a961aa9c895a2625dcfc8daa872a946229282f857f4739117247d7e58d3dcdd