Analysis
-
max time kernel
22s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 08:50
Behavioral task
behavioral1
Sample
5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe
Resource
win10v2004-20220812-en
General
-
Target
5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe
-
Size
4.6MB
-
MD5
abf8ce24084059625e02328dbc72e1c7
-
SHA1
5d98299177c4b55572d96dfb1b93e141c9de9c2e
-
SHA256
5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2
-
SHA512
5f6eed58cf70c583e48d101919f8f4803dcb8c02193bcd5b6bc0ed731ebff5c0876323d44fd4bad0ae81b4e37f5897f6595878210efb5fff9245762a68a44179
-
SSDEEP
98304:D8ZNWuqWiSagBBKI82NGSvagu0FcV2U1LBri2224SaCos8jr0GUgh10uiV9tWLhj:DCqWieBKI82N1K0SV2U9BOX24S0s8H0M
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
oobeldr.exepid process 1812 oobeldr.exe -
Processes:
resource yara_rule behavioral2/memory/488-133-0x00000000007C0000-0x0000000000EDD000-memory.dmp vmprotect behavioral2/memory/488-135-0x00000000007C0000-0x0000000000EDD000-memory.dmp vmprotect C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe vmprotect C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe vmprotect behavioral2/memory/1812-138-0x0000000000370000-0x0000000000A8D000-memory.dmp vmprotect behavioral2/memory/1812-140-0x0000000000370000-0x0000000000A8D000-memory.dmp vmprotect -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5056 schtasks.exe 2452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exeoobeldr.exepid process 488 5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe 488 5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe 1812 oobeldr.exe 1812 oobeldr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exeoobeldr.exedescription pid process target process PID 488 wrote to memory of 5056 488 5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe schtasks.exe PID 488 wrote to memory of 5056 488 5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe schtasks.exe PID 488 wrote to memory of 5056 488 5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe schtasks.exe PID 1812 wrote to memory of 2452 1812 oobeldr.exe schtasks.exe PID 1812 wrote to memory of 2452 1812 oobeldr.exe schtasks.exe PID 1812 wrote to memory of 2452 1812 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe"C:\Users\Admin\AppData\Local\Temp\5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
4.6MB
MD5abf8ce24084059625e02328dbc72e1c7
SHA15d98299177c4b55572d96dfb1b93e141c9de9c2e
SHA2565e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2
SHA5125f6eed58cf70c583e48d101919f8f4803dcb8c02193bcd5b6bc0ed731ebff5c0876323d44fd4bad0ae81b4e37f5897f6595878210efb5fff9245762a68a44179
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
4.6MB
MD5abf8ce24084059625e02328dbc72e1c7
SHA15d98299177c4b55572d96dfb1b93e141c9de9c2e
SHA2565e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2
SHA5125f6eed58cf70c583e48d101919f8f4803dcb8c02193bcd5b6bc0ed731ebff5c0876323d44fd4bad0ae81b4e37f5897f6595878210efb5fff9245762a68a44179
-
memory/488-133-0x00000000007C0000-0x0000000000EDD000-memory.dmpFilesize
7.1MB
-
memory/488-135-0x00000000007C0000-0x0000000000EDD000-memory.dmpFilesize
7.1MB
-
memory/1812-138-0x0000000000370000-0x0000000000A8D000-memory.dmpFilesize
7.1MB
-
memory/1812-140-0x0000000000370000-0x0000000000A8D000-memory.dmpFilesize
7.1MB
-
memory/2452-139-0x0000000000000000-mapping.dmp
-
memory/5056-134-0x0000000000000000-mapping.dmp