1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2022, 09:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe
Size

328KB
MD5

350615d31fbc138cdd136e56e8f76a53
SHA1

f0827885ea6f8dd7f7ab1bd8e17ca8520966600f
SHA256

1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834
SHA512

72e08fa03f8bc7a9db78382742c197f391d7af6057c98130ef411bc52e980d69389774a4d9f948b7e65d341e609a0ae208603d678836d3a29c89c2e0d71ab273
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1888	oobeldr.exe
1280	oobeldr.exe
4740	oobeldr.exe
4160	oobeldr.exe
1828	oobeldr.exe
488	oobeldr.exe
4660	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 1888 set thread context of 1280	1888	oobeldr.exe	88
PID 4740 set thread context of 1828	4740	oobeldr.exe	96
PID 488 set thread context of 4660	488	oobeldr.exe	98

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2476	schtasks.exe
2036	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 5048 wrote to memory of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 5048 wrote to memory of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 5048 wrote to memory of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 5048 wrote to memory of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 5048 wrote to memory of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 5048 wrote to memory of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 5048 wrote to memory of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 5048 wrote to memory of 860	5048	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	80
PID 860 wrote to memory of 2476	860	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	81
PID 860 wrote to memory of 2476	860	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	81
PID 860 wrote to memory of 2476	860	1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe	81
PID 1888 wrote to memory of 1280	1888	oobeldr.exe	88
PID 1888 wrote to memory of 1280	1888	oobeldr.exe	88
PID 1888 wrote to memory of 1280	1888	oobeldr.exe	88
PID 1888 wrote to memory of 1280	1888	oobeldr.exe	88
PID 1888 wrote to memory of 1280	1888	oobeldr.exe	88
PID 1888 wrote to memory of 1280	1888	oobeldr.exe	88
PID 1888 wrote to memory of 1280	1888	oobeldr.exe	88
PID 1888 wrote to memory of 1280	1888	oobeldr.exe	88
PID 1888 wrote to memory of 1280	1888	oobeldr.exe	88
PID 1280 wrote to memory of 2036	1280	oobeldr.exe	91
PID 1280 wrote to memory of 2036	1280	oobeldr.exe	91
PID 1280 wrote to memory of 2036	1280	oobeldr.exe	91
PID 4740 wrote to memory of 4160	4740	oobeldr.exe	95
PID 4740 wrote to memory of 4160	4740	oobeldr.exe	95
PID 4740 wrote to memory of 4160	4740	oobeldr.exe	95
PID 4740 wrote to memory of 1828	4740	oobeldr.exe	96
PID 4740 wrote to memory of 1828	4740	oobeldr.exe	96
PID 4740 wrote to memory of 1828	4740	oobeldr.exe	96
PID 4740 wrote to memory of 1828	4740	oobeldr.exe	96
PID 4740 wrote to memory of 1828	4740	oobeldr.exe	96
PID 4740 wrote to memory of 1828	4740	oobeldr.exe	96
PID 4740 wrote to memory of 1828	4740	oobeldr.exe	96
PID 4740 wrote to memory of 1828	4740	oobeldr.exe	96
PID 4740 wrote to memory of 1828	4740	oobeldr.exe	96
PID 488 wrote to memory of 4660	488	oobeldr.exe	98
PID 488 wrote to memory of 4660	488	oobeldr.exe	98
PID 488 wrote to memory of 4660	488	oobeldr.exe	98
PID 488 wrote to memory of 4660	488	oobeldr.exe	98
PID 488 wrote to memory of 4660	488	oobeldr.exe	98
PID 488 wrote to memory of 4660	488	oobeldr.exe	98
PID 488 wrote to memory of 4660	488	oobeldr.exe	98
PID 488 wrote to memory of 4660	488	oobeldr.exe	98
PID 488 wrote to memory of 4660	488	oobeldr.exe	98

C:\Users\Admin\AppData\Local\Temp\1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe
"C:\Users\Admin\AppData\Local\Temp\1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe
  C:\Users\Admin\AppData\Local\Temp\1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2476

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1828

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:488
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
350615d31fbc138cdd136e56e8f76a53

SHA1
f0827885ea6f8dd7f7ab1bd8e17ca8520966600f

SHA256
1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834

SHA512
72e08fa03f8bc7a9db78382742c197f391d7af6057c98130ef411bc52e980d69389774a4d9f948b7e65d341e609a0ae208603d678836d3a29c89c2e0d71ab273

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
350615d31fbc138cdd136e56e8f76a53

SHA1
f0827885ea6f8dd7f7ab1bd8e17ca8520966600f

SHA256
1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834

SHA512
72e08fa03f8bc7a9db78382742c197f391d7af6057c98130ef411bc52e980d69389774a4d9f948b7e65d341e609a0ae208603d678836d3a29c89c2e0d71ab273

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
350615d31fbc138cdd136e56e8f76a53

SHA1
f0827885ea6f8dd7f7ab1bd8e17ca8520966600f

SHA256
1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834

SHA512
72e08fa03f8bc7a9db78382742c197f391d7af6057c98130ef411bc52e980d69389774a4d9f948b7e65d341e609a0ae208603d678836d3a29c89c2e0d71ab273

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
350615d31fbc138cdd136e56e8f76a53

SHA1
f0827885ea6f8dd7f7ab1bd8e17ca8520966600f

SHA256
1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834

SHA512
72e08fa03f8bc7a9db78382742c197f391d7af6057c98130ef411bc52e980d69389774a4d9f948b7e65d341e609a0ae208603d678836d3a29c89c2e0d71ab273

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
350615d31fbc138cdd136e56e8f76a53

SHA1
f0827885ea6f8dd7f7ab1bd8e17ca8520966600f

SHA256
1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834

SHA512
72e08fa03f8bc7a9db78382742c197f391d7af6057c98130ef411bc52e980d69389774a4d9f948b7e65d341e609a0ae208603d678836d3a29c89c2e0d71ab273

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
350615d31fbc138cdd136e56e8f76a53

SHA1
f0827885ea6f8dd7f7ab1bd8e17ca8520966600f

SHA256
1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834

SHA512
72e08fa03f8bc7a9db78382742c197f391d7af6057c98130ef411bc52e980d69389774a4d9f948b7e65d341e609a0ae208603d678836d3a29c89c2e0d71ab273

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
350615d31fbc138cdd136e56e8f76a53

SHA1
f0827885ea6f8dd7f7ab1bd8e17ca8520966600f

SHA256
1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834

SHA512
72e08fa03f8bc7a9db78382742c197f391d7af6057c98130ef411bc52e980d69389774a4d9f948b7e65d341e609a0ae208603d678836d3a29c89c2e0d71ab273

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
350615d31fbc138cdd136e56e8f76a53

SHA1
f0827885ea6f8dd7f7ab1bd8e17ca8520966600f

SHA256
1f57f9697213b6ede9bd8628e18901683868ddd04b8019e56af1319dc6787834

SHA512
72e08fa03f8bc7a9db78382742c197f391d7af6057c98130ef411bc52e980d69389774a4d9f948b7e65d341e609a0ae208603d678836d3a29c89c2e0d71ab273

Download Submit
memory/860-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/860-141-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/860-143-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/860-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5048-135-0x00000000072D0000-0x0000000007346000-memory.dmp

Filesize
472KB

Download
memory/5048-132-0x0000000000010000-0x0000000000066000-memory.dmp

Filesize
344KB

Download
memory/5048-133-0x0000000007540000-0x0000000007AE4000-memory.dmp

Filesize
5.6MB

Download
memory/5048-134-0x0000000007030000-0x00000000070C2000-memory.dmp

Filesize
584KB

Download
memory/5048-136-0x0000000005C90000-0x0000000005CAE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads