beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14

Analysis

max time kernel
127s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe
Size

328KB
MD5

4af13a5d82cd1196903c34ad750f239d
SHA1

f10dfce71a05a6a08ff8fa067036a4fce6cd44f8
SHA256

beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14
SHA512

4da04f6e74d5d7ee00f786b88357af7cd0768f5dfcb5661f92c619d08716413884765dce6be444c51c507e58040dea72a461edc773efc322209a2a16e08e716b
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3408	oobeldr.exe
3084	oobeldr.exe
3412	oobeldr.exe
3440	oobeldr.exe
4356	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 3408 set thread context of 3412	3408	oobeldr.exe	92
PID 3440 set thread context of 4356	3440	oobeldr.exe	96

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4876	schtasks.exe
2016	schtasks.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 4308	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	79
PID 2540 wrote to memory of 4308	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	79
PID 2540 wrote to memory of 4308	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	79
PID 2540 wrote to memory of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 2540 wrote to memory of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 2540 wrote to memory of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 2540 wrote to memory of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 2540 wrote to memory of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 2540 wrote to memory of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 2540 wrote to memory of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 2540 wrote to memory of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 2540 wrote to memory of 2752	2540	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	83
PID 2752 wrote to memory of 4876	2752	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	85
PID 2752 wrote to memory of 4876	2752	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	85
PID 2752 wrote to memory of 4876	2752	beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe	85
PID 3408 wrote to memory of 3084	3408	oobeldr.exe	91
PID 3408 wrote to memory of 3084	3408	oobeldr.exe	91
PID 3408 wrote to memory of 3084	3408	oobeldr.exe	91
PID 3408 wrote to memory of 3412	3408	oobeldr.exe	92
PID 3408 wrote to memory of 3412	3408	oobeldr.exe	92
PID 3408 wrote to memory of 3412	3408	oobeldr.exe	92
PID 3408 wrote to memory of 3412	3408	oobeldr.exe	92
PID 3408 wrote to memory of 3412	3408	oobeldr.exe	92
PID 3408 wrote to memory of 3412	3408	oobeldr.exe	92
PID 3408 wrote to memory of 3412	3408	oobeldr.exe	92
PID 3408 wrote to memory of 3412	3408	oobeldr.exe	92
PID 3408 wrote to memory of 3412	3408	oobeldr.exe	92
PID 3412 wrote to memory of 2016	3412	oobeldr.exe	93
PID 3412 wrote to memory of 2016	3412	oobeldr.exe	93
PID 3412 wrote to memory of 2016	3412	oobeldr.exe	93
PID 3440 wrote to memory of 4356	3440	oobeldr.exe	96
PID 3440 wrote to memory of 4356	3440	oobeldr.exe	96
PID 3440 wrote to memory of 4356	3440	oobeldr.exe	96
PID 3440 wrote to memory of 4356	3440	oobeldr.exe	96
PID 3440 wrote to memory of 4356	3440	oobeldr.exe	96
PID 3440 wrote to memory of 4356	3440	oobeldr.exe	96
PID 3440 wrote to memory of 4356	3440	oobeldr.exe	96
PID 3440 wrote to memory of 4356	3440	oobeldr.exe	96
PID 3440 wrote to memory of 4356	3440	oobeldr.exe	96

C:\Users\Admin\AppData\Local\Temp\beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe
"C:\Users\Admin\AppData\Local\Temp\beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe
  C:\Users\Admin\AppData\Local\Temp\beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe
  2⤵
  PID:4308
- C:\Users\Admin\AppData\Local\Temp\beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe
  C:\Users\Admin\AppData\Local\Temp\beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4876

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2016

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
4af13a5d82cd1196903c34ad750f239d

SHA1
f10dfce71a05a6a08ff8fa067036a4fce6cd44f8

SHA256
beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14

SHA512
4da04f6e74d5d7ee00f786b88357af7cd0768f5dfcb5661f92c619d08716413884765dce6be444c51c507e58040dea72a461edc773efc322209a2a16e08e716b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
4af13a5d82cd1196903c34ad750f239d

SHA1
f10dfce71a05a6a08ff8fa067036a4fce6cd44f8

SHA256
beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14

SHA512
4da04f6e74d5d7ee00f786b88357af7cd0768f5dfcb5661f92c619d08716413884765dce6be444c51c507e58040dea72a461edc773efc322209a2a16e08e716b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
4af13a5d82cd1196903c34ad750f239d

SHA1
f10dfce71a05a6a08ff8fa067036a4fce6cd44f8

SHA256
beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14

SHA512
4da04f6e74d5d7ee00f786b88357af7cd0768f5dfcb5661f92c619d08716413884765dce6be444c51c507e58040dea72a461edc773efc322209a2a16e08e716b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
4af13a5d82cd1196903c34ad750f239d

SHA1
f10dfce71a05a6a08ff8fa067036a4fce6cd44f8

SHA256
beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14

SHA512
4da04f6e74d5d7ee00f786b88357af7cd0768f5dfcb5661f92c619d08716413884765dce6be444c51c507e58040dea72a461edc773efc322209a2a16e08e716b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
4af13a5d82cd1196903c34ad750f239d

SHA1
f10dfce71a05a6a08ff8fa067036a4fce6cd44f8

SHA256
beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14

SHA512
4da04f6e74d5d7ee00f786b88357af7cd0768f5dfcb5661f92c619d08716413884765dce6be444c51c507e58040dea72a461edc773efc322209a2a16e08e716b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
4af13a5d82cd1196903c34ad750f239d

SHA1
f10dfce71a05a6a08ff8fa067036a4fce6cd44f8

SHA256
beb885305354731c1d31008854e859dda04b10ef8c5d79410f60b9fd48b9ab14

SHA512
4da04f6e74d5d7ee00f786b88357af7cd0768f5dfcb5661f92c619d08716413884765dce6be444c51c507e58040dea72a461edc773efc322209a2a16e08e716b

Download Submit
memory/2540-136-0x0000000005190000-0x00000000051AE000-memory.dmp

Filesize
120KB

Download
memory/2540-132-0x0000000000660000-0x00000000006B6000-memory.dmp

Filesize
344KB

Download
memory/2540-135-0x0000000007960000-0x00000000079D6000-memory.dmp

Filesize
472KB

Download
memory/2540-134-0x00000000076C0000-0x0000000007752000-memory.dmp

Filesize
584KB

Download
memory/2540-133-0x0000000007BD0000-0x0000000008174000-memory.dmp

Filesize
5.6MB

Download
memory/2752-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2752-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2752-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads