fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2

Analysis

max time kernel
119s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2022, 13:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe
Size

326KB
MD5

f38e241b3508ffaaa28b99644bcc1bfe
SHA1

a2c52e56e98e15d23baa4bd118966e6d7e3479c3
SHA256

fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2
SHA512

c15aa2a5a607603e5537c15d790b0db6e0f66b579035769ec93251332e4dfa6ef8dfb7407d5174996f1e8ae37af8bbf3d4b2d9b27c6fec951dcaff85d47636df
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3520	oobeldr.exe
260	oobeldr.exe
1920	oobeldr.exe
4980	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 3520 set thread context of 260	3520	oobeldr.exe	91
PID 1920 set thread context of 4980	1920	oobeldr.exe	96

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4848	260	WerFault.exe	91

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4056	schtasks.exe
4564	schtasks.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
260	oobeldr.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 1740 wrote to memory of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 1740 wrote to memory of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 1740 wrote to memory of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 1740 wrote to memory of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 1740 wrote to memory of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 1740 wrote to memory of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 1740 wrote to memory of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 1740 wrote to memory of 1464	1740	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	80
PID 1464 wrote to memory of 4056	1464	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	84
PID 1464 wrote to memory of 4056	1464	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	84
PID 1464 wrote to memory of 4056	1464	fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe	84
PID 3520 wrote to memory of 260	3520	oobeldr.exe	91
PID 3520 wrote to memory of 260	3520	oobeldr.exe	91
PID 3520 wrote to memory of 260	3520	oobeldr.exe	91
PID 3520 wrote to memory of 260	3520	oobeldr.exe	91
PID 3520 wrote to memory of 260	3520	oobeldr.exe	91
PID 3520 wrote to memory of 260	3520	oobeldr.exe	91
PID 3520 wrote to memory of 260	3520	oobeldr.exe	91
PID 3520 wrote to memory of 260	3520	oobeldr.exe	91
PID 3520 wrote to memory of 260	3520	oobeldr.exe	91
PID 1920 wrote to memory of 4980	1920	oobeldr.exe	96
PID 1920 wrote to memory of 4980	1920	oobeldr.exe	96
PID 1920 wrote to memory of 4980	1920	oobeldr.exe	96
PID 1920 wrote to memory of 4980	1920	oobeldr.exe	96
PID 1920 wrote to memory of 4980	1920	oobeldr.exe	96
PID 1920 wrote to memory of 4980	1920	oobeldr.exe	96
PID 1920 wrote to memory of 4980	1920	oobeldr.exe	96
PID 1920 wrote to memory of 4980	1920	oobeldr.exe	96
PID 1920 wrote to memory of 4980	1920	oobeldr.exe	96
PID 4980 wrote to memory of 4564	4980	oobeldr.exe	97
PID 4980 wrote to memory of 4564	4980	oobeldr.exe	97
PID 4980 wrote to memory of 4564	4980	oobeldr.exe	97

C:\Users\Admin\AppData\Local\Temp\fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe
"C:\Users\Admin\AppData\Local\Temp\fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe
  C:\Users\Admin\AppData\Local\Temp\fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4056

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 260 -s 12
    3⤵
    - Program crash
    PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 260 -ip 260
1⤵
PID:4480

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
f38e241b3508ffaaa28b99644bcc1bfe

SHA1
a2c52e56e98e15d23baa4bd118966e6d7e3479c3

SHA256
fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2

SHA512
c15aa2a5a607603e5537c15d790b0db6e0f66b579035769ec93251332e4dfa6ef8dfb7407d5174996f1e8ae37af8bbf3d4b2d9b27c6fec951dcaff85d47636df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
f38e241b3508ffaaa28b99644bcc1bfe

SHA1
a2c52e56e98e15d23baa4bd118966e6d7e3479c3

SHA256
fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2

SHA512
c15aa2a5a607603e5537c15d790b0db6e0f66b579035769ec93251332e4dfa6ef8dfb7407d5174996f1e8ae37af8bbf3d4b2d9b27c6fec951dcaff85d47636df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
f38e241b3508ffaaa28b99644bcc1bfe

SHA1
a2c52e56e98e15d23baa4bd118966e6d7e3479c3

SHA256
fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2

SHA512
c15aa2a5a607603e5537c15d790b0db6e0f66b579035769ec93251332e4dfa6ef8dfb7407d5174996f1e8ae37af8bbf3d4b2d9b27c6fec951dcaff85d47636df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
f38e241b3508ffaaa28b99644bcc1bfe

SHA1
a2c52e56e98e15d23baa4bd118966e6d7e3479c3

SHA256
fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2

SHA512
c15aa2a5a607603e5537c15d790b0db6e0f66b579035769ec93251332e4dfa6ef8dfb7407d5174996f1e8ae37af8bbf3d4b2d9b27c6fec951dcaff85d47636df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
326KB

MD5
f38e241b3508ffaaa28b99644bcc1bfe

SHA1
a2c52e56e98e15d23baa4bd118966e6d7e3479c3

SHA256
fc08b0379b3d0eb07c4389837cea0176ac76627c1d38e360190e246237bdafd2

SHA512
c15aa2a5a607603e5537c15d790b0db6e0f66b579035769ec93251332e4dfa6ef8dfb7407d5174996f1e8ae37af8bbf3d4b2d9b27c6fec951dcaff85d47636df

Download Submit
memory/1464-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1464-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1464-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1740-136-0x0000000007F30000-0x0000000007F4E000-memory.dmp

Filesize
120KB

Download
memory/1740-132-0x0000000000FA0000-0x0000000000FF6000-memory.dmp

Filesize
344KB

Download
memory/1740-135-0x0000000008250000-0x00000000082C6000-memory.dmp

Filesize
472KB

Download
memory/1740-134-0x0000000007FB0000-0x0000000008042000-memory.dmp

Filesize
584KB

Download
memory/1740-133-0x00000000084C0000-0x0000000008A64000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads