1097d1bce312d4f00a9625f4edd7a9d558ee5351a6574fa3394ee9e2a66d7956

Analysis

max time kernel
22s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe
Size

4.6MB
MD5

abf8ce24084059625e02328dbc72e1c7
SHA1

5d98299177c4b55572d96dfb1b93e141c9de9c2e
SHA256

5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2
SHA512

5f6eed58cf70c583e48d101919f8f4803dcb8c02193bcd5b6bc0ed731ebff5c0876323d44fd4bad0ae81b4e37f5897f6595878210efb5fff9245762a68a44179
SSDEEP

98304:D8ZNWuqWiSagBBKI82NGSvagu0FcV2U1LBri2224SaCos8jr0GUgh10uiV9tWLhj:DCqWieBKI82N1K0SV2U9BOX24S0s8H0M

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

oobeldr.exe

pid process

1812 oobeldr.exe

pid	process
1812	oobeldr.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/488-133-0x00000000007C0000-0x0000000000EDD000-memory.dmp	vmprotect
behavioral2/memory/488-135-0x00000000007C0000-0x0000000000EDD000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	vmprotect
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe	vmprotect
behavioral2/memory/1812-138-0x0000000000370000-0x0000000000A8D000-memory.dmp	vmprotect
behavioral2/memory/1812-140-0x0000000000370000-0x0000000000A8D000-memory.dmp	vmprotect

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5056 schtasks.exe
2452 schtasks.exe

pid	process
5056	schtasks.exe
2452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exeoobeldr.exe

pid	process
488	5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe
488	5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe
1812	oobeldr.exe
1812	oobeldr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exeoobeldr.exe

description	pid	process	target process
PID 488 wrote to memory of 5056	488	5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe	schtasks.exe
PID 488 wrote to memory of 5056	488	5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe	schtasks.exe
PID 488 wrote to memory of 5056	488	5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe	schtasks.exe
PID 1812 wrote to memory of 2452	1812	oobeldr.exe	schtasks.exe
PID 1812 wrote to memory of 2452	1812	oobeldr.exe	schtasks.exe
PID 1812 wrote to memory of 2452	1812	oobeldr.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe
"C:\Users\Admin\AppData\Local\Temp\5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
2⤵
- Creates scheduled task(s)
PID:5056

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
2⤵
- Creates scheduled task(s)
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
4.6MB

MD5
abf8ce24084059625e02328dbc72e1c7

SHA1
5d98299177c4b55572d96dfb1b93e141c9de9c2e

SHA256
5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2

SHA512
5f6eed58cf70c583e48d101919f8f4803dcb8c02193bcd5b6bc0ed731ebff5c0876323d44fd4bad0ae81b4e37f5897f6595878210efb5fff9245762a68a44179

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Filesize
4.6MB

MD5
abf8ce24084059625e02328dbc72e1c7

SHA1
5d98299177c4b55572d96dfb1b93e141c9de9c2e

SHA256
5e3b5dfb1324cecfae22728323ca804e8f46b949b86998fc32ca5a16e31c45b2

SHA512
5f6eed58cf70c583e48d101919f8f4803dcb8c02193bcd5b6bc0ed731ebff5c0876323d44fd4bad0ae81b4e37f5897f6595878210efb5fff9245762a68a44179

Download Submit
memory/488-133-0x00000000007C0000-0x0000000000EDD000-memory.dmp

Filesize
7.1MB

Download
memory/488-135-0x00000000007C0000-0x0000000000EDD000-memory.dmp

Filesize
7.1MB

Download
memory/1812-138-0x0000000000370000-0x0000000000A8D000-memory.dmp

Filesize
7.1MB

Download
memory/1812-140-0x0000000000370000-0x0000000000A8D000-memory.dmp

Filesize
7.1MB

Download
memory/2452-139-0x0000000000000000-mapping.dmp

Download
memory/5056-134-0x0000000000000000-mapping.dmp

Download