Analysis Overview
SHA256
44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4
Threat Level: Likely malicious
The file 44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4 was found to be: Likely malicious.
Malicious Activity Summary
Executes dropped EXE
Suspicious use of SetThreadContext
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:40
Reported
2022-11-01 11:42
Platform
win10v2004-20220812-en
Max time kernel
114s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4984 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4.exe | C:\Users\Admin\AppData\Local\Temp\44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4.exe |
| PID 3228 set thread context of 672 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
| PID 3484 set thread context of 3128 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4.exe
"C:\Users\Admin\AppData\Local\Temp\44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4.exe"
C:\Users\Admin\AppData\Local\Temp\44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4.exe
C:\Users\Admin\AppData\Local\Temp\44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| IE | 13.69.239.72:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp |
Files
memory/4984-132-0x0000000000610000-0x0000000000666000-memory.dmp
memory/4984-133-0x0000000007960000-0x0000000007F04000-memory.dmp
memory/4984-134-0x0000000007490000-0x0000000007522000-memory.dmp
memory/4984-135-0x00000000077B0000-0x0000000007826000-memory.dmp
memory/4984-136-0x0000000007460000-0x000000000747E000-memory.dmp
memory/1360-137-0x0000000000000000-mapping.dmp
memory/1360-138-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1360-140-0x0000000000400000-0x0000000000406000-memory.dmp
memory/620-141-0x0000000000000000-mapping.dmp
memory/1360-142-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | caf3f792e8e21fad87dfd67b173e17cd |
| SHA1 | 01bd9f544a2ce5079134eb3d6860d1beeacdd668 |
| SHA256 | 44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4 |
| SHA512 | 9205dcf0233af93d0816016597f91b59025acfb0a5946c0482b1c27e8b0df7be9f5140ed3549c6adf0e25f28869a793616ce25eecac5fcbb798e3fde76df2d6b |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | caf3f792e8e21fad87dfd67b173e17cd |
| SHA1 | 01bd9f544a2ce5079134eb3d6860d1beeacdd668 |
| SHA256 | 44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4 |
| SHA512 | 9205dcf0233af93d0816016597f91b59025acfb0a5946c0482b1c27e8b0df7be9f5140ed3549c6adf0e25f28869a793616ce25eecac5fcbb798e3fde76df2d6b |
memory/672-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | caf3f792e8e21fad87dfd67b173e17cd |
| SHA1 | 01bd9f544a2ce5079134eb3d6860d1beeacdd668 |
| SHA256 | 44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4 |
| SHA512 | 9205dcf0233af93d0816016597f91b59025acfb0a5946c0482b1c27e8b0df7be9f5140ed3549c6adf0e25f28869a793616ce25eecac5fcbb798e3fde76df2d6b |
memory/4568-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | caf3f792e8e21fad87dfd67b173e17cd |
| SHA1 | 01bd9f544a2ce5079134eb3d6860d1beeacdd668 |
| SHA256 | 44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4 |
| SHA512 | 9205dcf0233af93d0816016597f91b59025acfb0a5946c0482b1c27e8b0df7be9f5140ed3549c6adf0e25f28869a793616ce25eecac5fcbb798e3fde76df2d6b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log
| MD5 | 03d2df1e8834bc4ec1756735429b458c |
| SHA1 | 4ee6c0f5b04c8e0c5076219c5724032daab11d40 |
| SHA256 | 745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631 |
| SHA512 | 2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b |
memory/3128-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
| MD5 | caf3f792e8e21fad87dfd67b173e17cd |
| SHA1 | 01bd9f544a2ce5079134eb3d6860d1beeacdd668 |
| SHA256 | 44e064646d95699b8dc5770be1712f33a93d9b710c4b3cb14e6c8e1612d4a5d4 |
| SHA512 | 9205dcf0233af93d0816016597f91b59025acfb0a5946c0482b1c27e8b0df7be9f5140ed3549c6adf0e25f28869a793616ce25eecac5fcbb798e3fde76df2d6b |