089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe
Size

327KB
MD5

8f76ecf3f26173e38c8d5826011182b2
SHA1

a64d4e76acba6e0705ccfc48c93d024e2dea4000
SHA256

089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8
SHA512

634bd4edb495803bf4fa4c5cb250daf3e6a2d66b0c0a01d2c707a7b679ef4be2e859c8d83b73dceb8173746ad936de66a7e33ff7f18b363c75729c1fd97a6501
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1764	oobeldr.exe
4544	oobeldr.exe
3724	oobeldr.exe
1048	oobeldr.exe
4748	oobeldr.exe
4540	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 1764 set thread context of 4544	1764	oobeldr.exe	90
PID 3724 set thread context of 1048	3724	oobeldr.exe	95
PID 4748 set thread context of 4540	4748	oobeldr.exe	97

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2348	schtasks.exe
4372	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 4816 wrote to memory of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 4816 wrote to memory of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 4816 wrote to memory of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 4816 wrote to memory of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 4816 wrote to memory of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 4816 wrote to memory of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 4816 wrote to memory of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 4816 wrote to memory of 5116	4816	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	80
PID 5116 wrote to memory of 2348	5116	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	84
PID 5116 wrote to memory of 2348	5116	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	84
PID 5116 wrote to memory of 2348	5116	089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe	84
PID 1764 wrote to memory of 4544	1764	oobeldr.exe	90
PID 1764 wrote to memory of 4544	1764	oobeldr.exe	90
PID 1764 wrote to memory of 4544	1764	oobeldr.exe	90
PID 1764 wrote to memory of 4544	1764	oobeldr.exe	90
PID 1764 wrote to memory of 4544	1764	oobeldr.exe	90
PID 1764 wrote to memory of 4544	1764	oobeldr.exe	90
PID 1764 wrote to memory of 4544	1764	oobeldr.exe	90
PID 1764 wrote to memory of 4544	1764	oobeldr.exe	90
PID 1764 wrote to memory of 4544	1764	oobeldr.exe	90
PID 4544 wrote to memory of 4372	4544	oobeldr.exe	91
PID 4544 wrote to memory of 4372	4544	oobeldr.exe	91
PID 4544 wrote to memory of 4372	4544	oobeldr.exe	91
PID 3724 wrote to memory of 1048	3724	oobeldr.exe	95
PID 3724 wrote to memory of 1048	3724	oobeldr.exe	95
PID 3724 wrote to memory of 1048	3724	oobeldr.exe	95
PID 3724 wrote to memory of 1048	3724	oobeldr.exe	95
PID 3724 wrote to memory of 1048	3724	oobeldr.exe	95
PID 3724 wrote to memory of 1048	3724	oobeldr.exe	95
PID 3724 wrote to memory of 1048	3724	oobeldr.exe	95
PID 3724 wrote to memory of 1048	3724	oobeldr.exe	95
PID 3724 wrote to memory of 1048	3724	oobeldr.exe	95
PID 4748 wrote to memory of 4540	4748	oobeldr.exe	97
PID 4748 wrote to memory of 4540	4748	oobeldr.exe	97
PID 4748 wrote to memory of 4540	4748	oobeldr.exe	97
PID 4748 wrote to memory of 4540	4748	oobeldr.exe	97
PID 4748 wrote to memory of 4540	4748	oobeldr.exe	97
PID 4748 wrote to memory of 4540	4748	oobeldr.exe	97
PID 4748 wrote to memory of 4540	4748	oobeldr.exe	97
PID 4748 wrote to memory of 4540	4748	oobeldr.exe	97
PID 4748 wrote to memory of 4540	4748	oobeldr.exe	97

C:\Users\Admin\AppData\Local\Temp\089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe
"C:\Users\Admin\AppData\Local\Temp\089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe
  C:\Users\Admin\AppData\Local\Temp\089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2348

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4372

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1048

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
327KB

MD5
8f76ecf3f26173e38c8d5826011182b2

SHA1
a64d4e76acba6e0705ccfc48c93d024e2dea4000

SHA256
089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8

SHA512
634bd4edb495803bf4fa4c5cb250daf3e6a2d66b0c0a01d2c707a7b679ef4be2e859c8d83b73dceb8173746ad936de66a7e33ff7f18b363c75729c1fd97a6501

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
327KB

MD5
8f76ecf3f26173e38c8d5826011182b2

SHA1
a64d4e76acba6e0705ccfc48c93d024e2dea4000

SHA256
089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8

SHA512
634bd4edb495803bf4fa4c5cb250daf3e6a2d66b0c0a01d2c707a7b679ef4be2e859c8d83b73dceb8173746ad936de66a7e33ff7f18b363c75729c1fd97a6501

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
327KB

MD5
8f76ecf3f26173e38c8d5826011182b2

SHA1
a64d4e76acba6e0705ccfc48c93d024e2dea4000

SHA256
089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8

SHA512
634bd4edb495803bf4fa4c5cb250daf3e6a2d66b0c0a01d2c707a7b679ef4be2e859c8d83b73dceb8173746ad936de66a7e33ff7f18b363c75729c1fd97a6501

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
327KB

MD5
8f76ecf3f26173e38c8d5826011182b2

SHA1
a64d4e76acba6e0705ccfc48c93d024e2dea4000

SHA256
089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8

SHA512
634bd4edb495803bf4fa4c5cb250daf3e6a2d66b0c0a01d2c707a7b679ef4be2e859c8d83b73dceb8173746ad936de66a7e33ff7f18b363c75729c1fd97a6501

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
327KB

MD5
8f76ecf3f26173e38c8d5826011182b2

SHA1
a64d4e76acba6e0705ccfc48c93d024e2dea4000

SHA256
089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8

SHA512
634bd4edb495803bf4fa4c5cb250daf3e6a2d66b0c0a01d2c707a7b679ef4be2e859c8d83b73dceb8173746ad936de66a7e33ff7f18b363c75729c1fd97a6501

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
327KB

MD5
8f76ecf3f26173e38c8d5826011182b2

SHA1
a64d4e76acba6e0705ccfc48c93d024e2dea4000

SHA256
089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8

SHA512
634bd4edb495803bf4fa4c5cb250daf3e6a2d66b0c0a01d2c707a7b679ef4be2e859c8d83b73dceb8173746ad936de66a7e33ff7f18b363c75729c1fd97a6501

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
327KB

MD5
8f76ecf3f26173e38c8d5826011182b2

SHA1
a64d4e76acba6e0705ccfc48c93d024e2dea4000

SHA256
089a352caced806aadff7366a16940ddaa5b1d66f95e86264e82ed9e1d96ded8

SHA512
634bd4edb495803bf4fa4c5cb250daf3e6a2d66b0c0a01d2c707a7b679ef4be2e859c8d83b73dceb8173746ad936de66a7e33ff7f18b363c75729c1fd97a6501

Download Submit
memory/4816-134-0x00000000070E0000-0x0000000007172000-memory.dmp

Filesize
584KB

Download
memory/4816-132-0x0000000000140000-0x0000000000196000-memory.dmp

Filesize
344KB

Download
memory/4816-133-0x00000000075A0000-0x0000000007B44000-memory.dmp

Filesize
5.6MB

Download
memory/4816-135-0x0000000007400000-0x0000000007476000-memory.dmp

Filesize
472KB

Download
memory/4816-136-0x0000000007380000-0x000000000739E000-memory.dmp

Filesize
120KB

Download
memory/5116-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5116-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5116-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads