937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe
Size

326KB
MD5

14ac5ec1878fa157e7ddf537886266a6
SHA1

07bb96745260cfaa73bc41cc0209badd99ffa3ed
SHA256

937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2
SHA512

459f6d6536a148f534cba5671126dc51cc64eb553e49041afa1bda5b7577a2cb621d9837158da00df5bc15ee55e26f857f3c9e26157d54eb72bf5d2de686562c
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2832	oobeldr.exe
2632	oobeldr.exe
3464	oobeldr.exe
3216	oobeldr.exe
2696	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4372 set thread context of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 2832 set thread context of 3464	2832	oobeldr.exe	96
PID 3216 set thread context of 2696	3216	oobeldr.exe	100

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1068	schtasks.exe
4312	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 1196	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	82
PID 4372 wrote to memory of 1196	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	82
PID 4372 wrote to memory of 1196	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	82
PID 4372 wrote to memory of 4340	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	83
PID 4372 wrote to memory of 4340	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	83
PID 4372 wrote to memory of 4340	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	83
PID 4372 wrote to memory of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 4372 wrote to memory of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 4372 wrote to memory of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 4372 wrote to memory of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 4372 wrote to memory of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 4372 wrote to memory of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 4372 wrote to memory of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 4372 wrote to memory of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 4372 wrote to memory of 2708	4372	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	84
PID 2708 wrote to memory of 4312	2708	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	85
PID 2708 wrote to memory of 4312	2708	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	85
PID 2708 wrote to memory of 4312	2708	937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe	85
PID 2832 wrote to memory of 2632	2832	oobeldr.exe	95
PID 2832 wrote to memory of 2632	2832	oobeldr.exe	95
PID 2832 wrote to memory of 2632	2832	oobeldr.exe	95
PID 2832 wrote to memory of 3464	2832	oobeldr.exe	96
PID 2832 wrote to memory of 3464	2832	oobeldr.exe	96
PID 2832 wrote to memory of 3464	2832	oobeldr.exe	96
PID 2832 wrote to memory of 3464	2832	oobeldr.exe	96
PID 2832 wrote to memory of 3464	2832	oobeldr.exe	96
PID 2832 wrote to memory of 3464	2832	oobeldr.exe	96
PID 2832 wrote to memory of 3464	2832	oobeldr.exe	96
PID 2832 wrote to memory of 3464	2832	oobeldr.exe	96
PID 2832 wrote to memory of 3464	2832	oobeldr.exe	96
PID 3464 wrote to memory of 1068	3464	oobeldr.exe	97
PID 3464 wrote to memory of 1068	3464	oobeldr.exe	97
PID 3464 wrote to memory of 1068	3464	oobeldr.exe	97
PID 3216 wrote to memory of 2696	3216	oobeldr.exe	100
PID 3216 wrote to memory of 2696	3216	oobeldr.exe	100
PID 3216 wrote to memory of 2696	3216	oobeldr.exe	100
PID 3216 wrote to memory of 2696	3216	oobeldr.exe	100
PID 3216 wrote to memory of 2696	3216	oobeldr.exe	100
PID 3216 wrote to memory of 2696	3216	oobeldr.exe	100
PID 3216 wrote to memory of 2696	3216	oobeldr.exe	100
PID 3216 wrote to memory of 2696	3216	oobeldr.exe	100
PID 3216 wrote to memory of 2696	3216	oobeldr.exe	100

C:\Users\Admin\AppData\Local\Temp\937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe
"C:\Users\Admin\AppData\Local\Temp\937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe
  C:\Users\Admin\AppData\Local\Temp\937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe
  2⤵
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe
  C:\Users\Admin\AppData\Local\Temp\937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe
  2⤵
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe
  C:\Users\Admin\AppData\Local\Temp\937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4312

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1068

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
14ac5ec1878fa157e7ddf537886266a6

SHA1
07bb96745260cfaa73bc41cc0209badd99ffa3ed

SHA256
937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2

SHA512
459f6d6536a148f534cba5671126dc51cc64eb553e49041afa1bda5b7577a2cb621d9837158da00df5bc15ee55e26f857f3c9e26157d54eb72bf5d2de686562c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
14ac5ec1878fa157e7ddf537886266a6

SHA1
07bb96745260cfaa73bc41cc0209badd99ffa3ed

SHA256
937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2

SHA512
459f6d6536a148f534cba5671126dc51cc64eb553e49041afa1bda5b7577a2cb621d9837158da00df5bc15ee55e26f857f3c9e26157d54eb72bf5d2de686562c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
14ac5ec1878fa157e7ddf537886266a6

SHA1
07bb96745260cfaa73bc41cc0209badd99ffa3ed

SHA256
937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2

SHA512
459f6d6536a148f534cba5671126dc51cc64eb553e49041afa1bda5b7577a2cb621d9837158da00df5bc15ee55e26f857f3c9e26157d54eb72bf5d2de686562c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
14ac5ec1878fa157e7ddf537886266a6

SHA1
07bb96745260cfaa73bc41cc0209badd99ffa3ed

SHA256
937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2

SHA512
459f6d6536a148f534cba5671126dc51cc64eb553e49041afa1bda5b7577a2cb621d9837158da00df5bc15ee55e26f857f3c9e26157d54eb72bf5d2de686562c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
14ac5ec1878fa157e7ddf537886266a6

SHA1
07bb96745260cfaa73bc41cc0209badd99ffa3ed

SHA256
937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2

SHA512
459f6d6536a148f534cba5671126dc51cc64eb553e49041afa1bda5b7577a2cb621d9837158da00df5bc15ee55e26f857f3c9e26157d54eb72bf5d2de686562c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
14ac5ec1878fa157e7ddf537886266a6

SHA1
07bb96745260cfaa73bc41cc0209badd99ffa3ed

SHA256
937e17fe5ed78ea548bbd85b757dcfb1547c1bc1701c8a5cc393b6e6bc9a0dd2

SHA512
459f6d6536a148f534cba5671126dc51cc64eb553e49041afa1bda5b7577a2cb621d9837158da00df5bc15ee55e26f857f3c9e26157d54eb72bf5d2de686562c

Download Submit
memory/2708-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2708-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2708-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4372-136-0x0000000007800000-0x000000000781E000-memory.dmp

Filesize
120KB

Download
memory/4372-132-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/4372-135-0x0000000007880000-0x00000000078F6000-memory.dmp

Filesize
472KB

Download
memory/4372-134-0x0000000007560000-0x00000000075F2000-memory.dmp

Filesize
584KB

Download
memory/4372-133-0x0000000007B10000-0x00000000080B4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads