Analysis Overview
SHA256
3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89
Threat Level: Likely malicious
The file 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 was found to be: Likely malicious.
Malicious Activity Summary
Executes dropped EXE
Suspicious use of SetThreadContext
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:38
Reported
2022-11-01 11:41
Platform
win10v2004-20220901-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3284 set thread context of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89.exe | C:\Users\Admin\AppData\Local\Temp\3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89.exe |
| PID 3764 set thread context of 2380 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
| PID 5100 set thread context of 4736 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
| PID 676 set thread context of 1768 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89.exe
"C:\Users\Admin\AppData\Local\Temp\3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89.exe"
C:\Users\Admin\AppData\Local\Temp\3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89.exe
C:\Users\Admin\AppData\Local\Temp\3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Network
| Country | Destination | Domain | Proto |
| BE | 8.238.110.126:80 | tcp | |
| US | 13.89.179.10:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp |
Files
memory/3284-132-0x00000000007E0000-0x0000000000836000-memory.dmp
memory/3284-133-0x0000000007CF0000-0x0000000008294000-memory.dmp
memory/3284-134-0x00000000077E0000-0x0000000007872000-memory.dmp
memory/3284-135-0x0000000007A80000-0x0000000007AF6000-memory.dmp
memory/3284-136-0x0000000007770000-0x000000000778E000-memory.dmp
memory/4864-137-0x0000000000000000-mapping.dmp
memory/4864-138-0x0000000000400000-0x0000000000406000-memory.dmp
memory/4864-140-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2412-141-0x0000000000000000-mapping.dmp
memory/4864-142-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 139233db3ddd85f94d6c487cd1ce1154 |
| SHA1 | 4def25f97ef3336168c35f052c6bcec430871db0 |
| SHA256 | 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 |
| SHA512 | 140c8ab45a16cdf273b2343486dfba349143907902496aaa9a7a6309af83fc8ee75e1402fcaf2b46799e6a5dbc10c01e543f04a1d62b8177ff4bb12bd0e473b9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 139233db3ddd85f94d6c487cd1ce1154 |
| SHA1 | 4def25f97ef3336168c35f052c6bcec430871db0 |
| SHA256 | 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 |
| SHA512 | 140c8ab45a16cdf273b2343486dfba349143907902496aaa9a7a6309af83fc8ee75e1402fcaf2b46799e6a5dbc10c01e543f04a1d62b8177ff4bb12bd0e473b9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 139233db3ddd85f94d6c487cd1ce1154 |
| SHA1 | 4def25f97ef3336168c35f052c6bcec430871db0 |
| SHA256 | 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 |
| SHA512 | 140c8ab45a16cdf273b2343486dfba349143907902496aaa9a7a6309af83fc8ee75e1402fcaf2b46799e6a5dbc10c01e543f04a1d62b8177ff4bb12bd0e473b9 |
memory/2380-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 139233db3ddd85f94d6c487cd1ce1154 |
| SHA1 | 4def25f97ef3336168c35f052c6bcec430871db0 |
| SHA256 | 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 |
| SHA512 | 140c8ab45a16cdf273b2343486dfba349143907902496aaa9a7a6309af83fc8ee75e1402fcaf2b46799e6a5dbc10c01e543f04a1d62b8177ff4bb12bd0e473b9 |
memory/4164-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 139233db3ddd85f94d6c487cd1ce1154 |
| SHA1 | 4def25f97ef3336168c35f052c6bcec430871db0 |
| SHA256 | 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 |
| SHA512 | 140c8ab45a16cdf273b2343486dfba349143907902496aaa9a7a6309af83fc8ee75e1402fcaf2b46799e6a5dbc10c01e543f04a1d62b8177ff4bb12bd0e473b9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log
| MD5 | 03d2df1e8834bc4ec1756735429b458c |
| SHA1 | 4ee6c0f5b04c8e0c5076219c5724032daab11d40 |
| SHA256 | 745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631 |
| SHA512 | 2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 139233db3ddd85f94d6c487cd1ce1154 |
| SHA1 | 4def25f97ef3336168c35f052c6bcec430871db0 |
| SHA256 | 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 |
| SHA512 | 140c8ab45a16cdf273b2343486dfba349143907902496aaa9a7a6309af83fc8ee75e1402fcaf2b46799e6a5dbc10c01e543f04a1d62b8177ff4bb12bd0e473b9 |
memory/4736-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 139233db3ddd85f94d6c487cd1ce1154 |
| SHA1 | 4def25f97ef3336168c35f052c6bcec430871db0 |
| SHA256 | 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 |
| SHA512 | 140c8ab45a16cdf273b2343486dfba349143907902496aaa9a7a6309af83fc8ee75e1402fcaf2b46799e6a5dbc10c01e543f04a1d62b8177ff4bb12bd0e473b9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 139233db3ddd85f94d6c487cd1ce1154 |
| SHA1 | 4def25f97ef3336168c35f052c6bcec430871db0 |
| SHA256 | 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 |
| SHA512 | 140c8ab45a16cdf273b2343486dfba349143907902496aaa9a7a6309af83fc8ee75e1402fcaf2b46799e6a5dbc10c01e543f04a1d62b8177ff4bb12bd0e473b9 |
memory/1768-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | 139233db3ddd85f94d6c487cd1ce1154 |
| SHA1 | 4def25f97ef3336168c35f052c6bcec430871db0 |
| SHA256 | 3d20b0c60440bdc056be22c9bcbfef724f9301add52fbb3aa2ab507366a73c89 |
| SHA512 | 140c8ab45a16cdf273b2343486dfba349143907902496aaa9a7a6309af83fc8ee75e1402fcaf2b46799e6a5dbc10c01e543f04a1d62b8177ff4bb12bd0e473b9 |