0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357

Analysis

max time kernel
136s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe
Size

326KB
MD5

4207ea3533379ee1e43fac874a2ab150
SHA1

7d0f667a36c668311ecf6e7c1270641b745c0b65
SHA256

0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357
SHA512

4c6981d31e4febd4ee25055e0d5ac4d35d4e7b51ccf599714fd2c16a946a191b08ad7b89d99de122e98b94dc50ce080595dfd4b5bac354511fb9b6d7f14f1710
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2556	oobeldr.exe
3764	oobeldr.exe
1980	oobeldr.exe
396	oobeldr.exe
4228	oobeldr.exe
4772	oobeldr.exe
4024	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 2556 set thread context of 3764	2556	oobeldr.exe	93
PID 1980 set thread context of 396	1980	oobeldr.exe	98
PID 4228 set thread context of 4024	4228	oobeldr.exe	101

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4896	schtasks.exe
2132	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 5072 wrote to memory of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 5072 wrote to memory of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 5072 wrote to memory of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 5072 wrote to memory of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 5072 wrote to memory of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 5072 wrote to memory of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 5072 wrote to memory of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 5072 wrote to memory of 1488	5072	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	83
PID 1488 wrote to memory of 4896	1488	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	87
PID 1488 wrote to memory of 4896	1488	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	87
PID 1488 wrote to memory of 4896	1488	0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe	87
PID 2556 wrote to memory of 3764	2556	oobeldr.exe	93
PID 2556 wrote to memory of 3764	2556	oobeldr.exe	93
PID 2556 wrote to memory of 3764	2556	oobeldr.exe	93
PID 2556 wrote to memory of 3764	2556	oobeldr.exe	93
PID 2556 wrote to memory of 3764	2556	oobeldr.exe	93
PID 2556 wrote to memory of 3764	2556	oobeldr.exe	93
PID 2556 wrote to memory of 3764	2556	oobeldr.exe	93
PID 2556 wrote to memory of 3764	2556	oobeldr.exe	93
PID 2556 wrote to memory of 3764	2556	oobeldr.exe	93
PID 3764 wrote to memory of 2132	3764	oobeldr.exe	94
PID 3764 wrote to memory of 2132	3764	oobeldr.exe	94
PID 3764 wrote to memory of 2132	3764	oobeldr.exe	94
PID 1980 wrote to memory of 396	1980	oobeldr.exe	98
PID 1980 wrote to memory of 396	1980	oobeldr.exe	98
PID 1980 wrote to memory of 396	1980	oobeldr.exe	98
PID 1980 wrote to memory of 396	1980	oobeldr.exe	98
PID 1980 wrote to memory of 396	1980	oobeldr.exe	98
PID 1980 wrote to memory of 396	1980	oobeldr.exe	98
PID 1980 wrote to memory of 396	1980	oobeldr.exe	98
PID 1980 wrote to memory of 396	1980	oobeldr.exe	98
PID 1980 wrote to memory of 396	1980	oobeldr.exe	98
PID 4228 wrote to memory of 4772	4228	oobeldr.exe	100
PID 4228 wrote to memory of 4772	4228	oobeldr.exe	100
PID 4228 wrote to memory of 4772	4228	oobeldr.exe	100
PID 4228 wrote to memory of 4024	4228	oobeldr.exe	101
PID 4228 wrote to memory of 4024	4228	oobeldr.exe	101
PID 4228 wrote to memory of 4024	4228	oobeldr.exe	101
PID 4228 wrote to memory of 4024	4228	oobeldr.exe	101
PID 4228 wrote to memory of 4024	4228	oobeldr.exe	101
PID 4228 wrote to memory of 4024	4228	oobeldr.exe	101
PID 4228 wrote to memory of 4024	4228	oobeldr.exe	101
PID 4228 wrote to memory of 4024	4228	oobeldr.exe	101
PID 4228 wrote to memory of 4024	4228	oobeldr.exe	101

C:\Users\Admin\AppData\Local\Temp\0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe
"C:\Users\Admin\AppData\Local\Temp\0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe
  C:\Users\Admin\AppData\Local\Temp\0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4896

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2132

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:396

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
4207ea3533379ee1e43fac874a2ab150

SHA1
7d0f667a36c668311ecf6e7c1270641b745c0b65

SHA256
0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357

SHA512
4c6981d31e4febd4ee25055e0d5ac4d35d4e7b51ccf599714fd2c16a946a191b08ad7b89d99de122e98b94dc50ce080595dfd4b5bac354511fb9b6d7f14f1710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
4207ea3533379ee1e43fac874a2ab150

SHA1
7d0f667a36c668311ecf6e7c1270641b745c0b65

SHA256
0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357

SHA512
4c6981d31e4febd4ee25055e0d5ac4d35d4e7b51ccf599714fd2c16a946a191b08ad7b89d99de122e98b94dc50ce080595dfd4b5bac354511fb9b6d7f14f1710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
4207ea3533379ee1e43fac874a2ab150

SHA1
7d0f667a36c668311ecf6e7c1270641b745c0b65

SHA256
0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357

SHA512
4c6981d31e4febd4ee25055e0d5ac4d35d4e7b51ccf599714fd2c16a946a191b08ad7b89d99de122e98b94dc50ce080595dfd4b5bac354511fb9b6d7f14f1710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
4207ea3533379ee1e43fac874a2ab150

SHA1
7d0f667a36c668311ecf6e7c1270641b745c0b65

SHA256
0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357

SHA512
4c6981d31e4febd4ee25055e0d5ac4d35d4e7b51ccf599714fd2c16a946a191b08ad7b89d99de122e98b94dc50ce080595dfd4b5bac354511fb9b6d7f14f1710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
4207ea3533379ee1e43fac874a2ab150

SHA1
7d0f667a36c668311ecf6e7c1270641b745c0b65

SHA256
0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357

SHA512
4c6981d31e4febd4ee25055e0d5ac4d35d4e7b51ccf599714fd2c16a946a191b08ad7b89d99de122e98b94dc50ce080595dfd4b5bac354511fb9b6d7f14f1710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
4207ea3533379ee1e43fac874a2ab150

SHA1
7d0f667a36c668311ecf6e7c1270641b745c0b65

SHA256
0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357

SHA512
4c6981d31e4febd4ee25055e0d5ac4d35d4e7b51ccf599714fd2c16a946a191b08ad7b89d99de122e98b94dc50ce080595dfd4b5bac354511fb9b6d7f14f1710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
4207ea3533379ee1e43fac874a2ab150

SHA1
7d0f667a36c668311ecf6e7c1270641b745c0b65

SHA256
0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357

SHA512
4c6981d31e4febd4ee25055e0d5ac4d35d4e7b51ccf599714fd2c16a946a191b08ad7b89d99de122e98b94dc50ce080595dfd4b5bac354511fb9b6d7f14f1710

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
4207ea3533379ee1e43fac874a2ab150

SHA1
7d0f667a36c668311ecf6e7c1270641b745c0b65

SHA256
0c3daa58cdc0ff7bb6f135636744103c1ec0ef2cd673b8eff53a8a7d857e1357

SHA512
4c6981d31e4febd4ee25055e0d5ac4d35d4e7b51ccf599714fd2c16a946a191b08ad7b89d99de122e98b94dc50ce080595dfd4b5bac354511fb9b6d7f14f1710

Download Submit
memory/1488-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1488-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1488-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5072-135-0x0000000007470000-0x00000000074E6000-memory.dmp

Filesize
472KB

Download
memory/5072-134-0x00000000071D0000-0x0000000007262000-memory.dmp

Filesize
584KB

Download
memory/5072-132-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/5072-133-0x00000000076E0000-0x0000000007C84000-memory.dmp

Filesize
5.6MB

Download
memory/5072-136-0x0000000007150000-0x000000000716E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads