Analysis
-
max time kernel
105s -
max time network
75s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
05-11-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe
Resource
win10-20220812-en
General
-
Target
3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe
-
Size
328KB
-
MD5
4842dc784b71fa028f1930c495bdafa0
-
SHA1
3088dde829624dd2719d8929df726c14dfcdcc81
-
SHA256
3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad
-
SHA512
f98e3bfa924059a27daf74f23bbcfc72da6b85e602df95f6cdc667fe100efc80424e38d36f4de6b5b08100202ab7808de1844ff300716cfaf06d2e5a59ced2eb
-
SSDEEP
6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4924 oobeldr.exe 4872 oobeldr.exe 4364 oobeldr.exe 400 oobeldr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3540 set thread context of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 4924 set thread context of 4872 4924 oobeldr.exe 71 PID 4364 set thread context of 400 4364 oobeldr.exe 75 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3612 schtasks.exe 1936 schtasks.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3540 wrote to memory of 4880 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 66 PID 3540 wrote to memory of 4880 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 66 PID 3540 wrote to memory of 4880 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 66 PID 3540 wrote to memory of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 3540 wrote to memory of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 3540 wrote to memory of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 3540 wrote to memory of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 3540 wrote to memory of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 3540 wrote to memory of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 3540 wrote to memory of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 3540 wrote to memory of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 3540 wrote to memory of 4888 3540 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 67 PID 4888 wrote to memory of 3612 4888 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 68 PID 4888 wrote to memory of 3612 4888 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 68 PID 4888 wrote to memory of 3612 4888 3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe 68 PID 4924 wrote to memory of 4872 4924 oobeldr.exe 71 PID 4924 wrote to memory of 4872 4924 oobeldr.exe 71 PID 4924 wrote to memory of 4872 4924 oobeldr.exe 71 PID 4924 wrote to memory of 4872 4924 oobeldr.exe 71 PID 4924 wrote to memory of 4872 4924 oobeldr.exe 71 PID 4924 wrote to memory of 4872 4924 oobeldr.exe 71 PID 4924 wrote to memory of 4872 4924 oobeldr.exe 71 PID 4924 wrote to memory of 4872 4924 oobeldr.exe 71 PID 4924 wrote to memory of 4872 4924 oobeldr.exe 71 PID 4872 wrote to memory of 1936 4872 oobeldr.exe 72 PID 4872 wrote to memory of 1936 4872 oobeldr.exe 72 PID 4872 wrote to memory of 1936 4872 oobeldr.exe 72 PID 4364 wrote to memory of 400 4364 oobeldr.exe 75 PID 4364 wrote to memory of 400 4364 oobeldr.exe 75 PID 4364 wrote to memory of 400 4364 oobeldr.exe 75 PID 4364 wrote to memory of 400 4364 oobeldr.exe 75 PID 4364 wrote to memory of 400 4364 oobeldr.exe 75 PID 4364 wrote to memory of 400 4364 oobeldr.exe 75 PID 4364 wrote to memory of 400 4364 oobeldr.exe 75 PID 4364 wrote to memory of 400 4364 oobeldr.exe 75 PID 4364 wrote to memory of 400 4364 oobeldr.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe"C:\Users\Admin\AppData\Local\Temp\3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exeC:\Users\Admin\AppData\Local\Temp\3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe2⤵PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exeC:\Users\Admin\AppData\Local\Temp\3b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:3612
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:1936
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:400
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789B
MD5db5ef8d7c51bad129d9097bf953e4913
SHA18439db960aa2d431bf5ec3c37af775b45eb07e06
SHA2561248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9
SHA51204572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee
-
Filesize
328KB
MD54842dc784b71fa028f1930c495bdafa0
SHA13088dde829624dd2719d8929df726c14dfcdcc81
SHA2563b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad
SHA512f98e3bfa924059a27daf74f23bbcfc72da6b85e602df95f6cdc667fe100efc80424e38d36f4de6b5b08100202ab7808de1844ff300716cfaf06d2e5a59ced2eb
-
Filesize
328KB
MD54842dc784b71fa028f1930c495bdafa0
SHA13088dde829624dd2719d8929df726c14dfcdcc81
SHA2563b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad
SHA512f98e3bfa924059a27daf74f23bbcfc72da6b85e602df95f6cdc667fe100efc80424e38d36f4de6b5b08100202ab7808de1844ff300716cfaf06d2e5a59ced2eb
-
Filesize
328KB
MD54842dc784b71fa028f1930c495bdafa0
SHA13088dde829624dd2719d8929df726c14dfcdcc81
SHA2563b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad
SHA512f98e3bfa924059a27daf74f23bbcfc72da6b85e602df95f6cdc667fe100efc80424e38d36f4de6b5b08100202ab7808de1844ff300716cfaf06d2e5a59ced2eb
-
Filesize
328KB
MD54842dc784b71fa028f1930c495bdafa0
SHA13088dde829624dd2719d8929df726c14dfcdcc81
SHA2563b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad
SHA512f98e3bfa924059a27daf74f23bbcfc72da6b85e602df95f6cdc667fe100efc80424e38d36f4de6b5b08100202ab7808de1844ff300716cfaf06d2e5a59ced2eb
-
Filesize
328KB
MD54842dc784b71fa028f1930c495bdafa0
SHA13088dde829624dd2719d8929df726c14dfcdcc81
SHA2563b8e66e021984031e7c4660d6c833263ed90caecf300c7837ee320959b5327ad
SHA512f98e3bfa924059a27daf74f23bbcfc72da6b85e602df95f6cdc667fe100efc80424e38d36f4de6b5b08100202ab7808de1844ff300716cfaf06d2e5a59ced2eb