Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2022, 11:44

General

  • Target

    4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f.exe

  • Size

    324KB

  • MD5

    3f8d1dac50f07a02571960564b9b0f57

  • SHA1

    4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

  • SHA256

    4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

  • SHA512

    51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

  • SSDEEP

    6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f.exe
    "C:\Users\Admin\AppData\Local\Temp\4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Users\Admin\AppData\Local\Temp\4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f.exe
      C:\Users\Admin\AppData\Local\Temp\4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f.exe
      2⤵
        PID:392
      • C:\Users\Admin\AppData\Local\Temp\4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f.exe
        C:\Users\Admin\AppData\Local\Temp\4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4784
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
          3⤵
          • Creates scheduled task(s)
          PID:4308
    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
          3⤵
          • Creates scheduled task(s)
          PID:3128
    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        2⤵
        • Executes dropped EXE
        PID:3100
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        2⤵
        • Executes dropped EXE
        PID:4432
    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        2⤵
        • Executes dropped EXE
        PID:4252
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        2⤵
        • Executes dropped EXE
        PID:2400
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        2⤵
          PID:1640

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

              Filesize

              789B

              MD5

              03d2df1e8834bc4ec1756735429b458c

              SHA1

              4ee6c0f5b04c8e0c5076219c5724032daab11d40

              SHA256

              745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

              SHA512

              2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              324KB

              MD5

              3f8d1dac50f07a02571960564b9b0f57

              SHA1

              4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

              SHA256

              4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

              SHA512

              51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              324KB

              MD5

              3f8d1dac50f07a02571960564b9b0f57

              SHA1

              4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

              SHA256

              4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

              SHA512

              51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              324KB

              MD5

              3f8d1dac50f07a02571960564b9b0f57

              SHA1

              4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

              SHA256

              4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

              SHA512

              51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              324KB

              MD5

              3f8d1dac50f07a02571960564b9b0f57

              SHA1

              4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

              SHA256

              4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

              SHA512

              51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              324KB

              MD5

              3f8d1dac50f07a02571960564b9b0f57

              SHA1

              4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

              SHA256

              4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

              SHA512

              51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              324KB

              MD5

              3f8d1dac50f07a02571960564b9b0f57

              SHA1

              4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

              SHA256

              4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

              SHA512

              51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              324KB

              MD5

              3f8d1dac50f07a02571960564b9b0f57

              SHA1

              4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

              SHA256

              4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

              SHA512

              51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              324KB

              MD5

              3f8d1dac50f07a02571960564b9b0f57

              SHA1

              4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

              SHA256

              4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

              SHA512

              51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

            • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

              Filesize

              324KB

              MD5

              3f8d1dac50f07a02571960564b9b0f57

              SHA1

              4ebf6b8ca96bf0a5708772c59f20f4b9225d28d3

              SHA256

              4b4c697645d19b2bfc0d2c4cf3bf60fe7f5406d67cd72c44636898396b57c87f

              SHA512

              51cea8e195b6e635d04bee4820f9c33d12bf1d26d7ae448c6f77ffd00da4d9621f5e30e6161a34a8e8afb935ed225c75d0a9f059cc805706b91db50019a3a316

            • memory/4344-134-0x0000000007320000-0x00000000073B2000-memory.dmp

              Filesize

              584KB

            • memory/4344-132-0x0000000000380000-0x00000000003D6000-memory.dmp

              Filesize

              344KB

            • memory/4344-133-0x00000000077D0000-0x0000000007D74000-memory.dmp

              Filesize

              5.6MB

            • memory/4344-135-0x0000000007640000-0x00000000076B6000-memory.dmp

              Filesize

              472KB

            • memory/4344-136-0x00000000075C0000-0x00000000075DE000-memory.dmp

              Filesize

              120KB

            • memory/4784-142-0x0000000000400000-0x0000000000406000-memory.dmp

              Filesize

              24KB

            • memory/4784-140-0x0000000000400000-0x0000000000406000-memory.dmp

              Filesize

              24KB

            • memory/4784-138-0x0000000000400000-0x0000000000406000-memory.dmp

              Filesize

              24KB