bd2ac3b25a348dc3c3d06c0278d4d0668f5b9c526ecf571b45ab0a2ae4c33b0c

Analysis

max time kernel
113s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05bfe417ee4f03f5b676bc18178c7bd3.exe
Size

325KB
MD5

05bfe417ee4f03f5b676bc18178c7bd3
SHA1

af90adcc4cfb084ede69230085ee9921d6349c88
SHA256

bd2ac3b25a348dc3c3d06c0278d4d0668f5b9c526ecf571b45ab0a2ae4c33b0c
SHA512

c5af4efa055669dff6ae665ade37f606d78f91be26033a4bf495f6211c1f4c9e9bb95aee804789517f9870f122e5a66972fa395d5851f971832a9e994b48d205
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1668	oobeldr.exe
1132	oobeldr.exe
1972	oobeldr.exe
1740	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 1668 set thread context of 1132	1668	oobeldr.exe	34
PID 1972 set thread context of 1740	1972	oobeldr.exe	38

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1176	schtasks.exe
1680	schtasks.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 916	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	28
PID 1992 wrote to memory of 916	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	28
PID 1992 wrote to memory of 916	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	28
PID 1992 wrote to memory of 916	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	28
PID 1992 wrote to memory of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 1992 wrote to memory of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 1992 wrote to memory of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 1992 wrote to memory of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 1992 wrote to memory of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 1992 wrote to memory of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 1992 wrote to memory of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 1992 wrote to memory of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 1992 wrote to memory of 912	1992	05bfe417ee4f03f5b676bc18178c7bd3.exe	29
PID 912 wrote to memory of 1176	912	05bfe417ee4f03f5b676bc18178c7bd3.exe	30
PID 912 wrote to memory of 1176	912	05bfe417ee4f03f5b676bc18178c7bd3.exe	30
PID 912 wrote to memory of 1176	912	05bfe417ee4f03f5b676bc18178c7bd3.exe	30
PID 912 wrote to memory of 1176	912	05bfe417ee4f03f5b676bc18178c7bd3.exe	30
PID 1776 wrote to memory of 1668	1776	taskeng.exe	33
PID 1776 wrote to memory of 1668	1776	taskeng.exe	33
PID 1776 wrote to memory of 1668	1776	taskeng.exe	33
PID 1776 wrote to memory of 1668	1776	taskeng.exe	33
PID 1668 wrote to memory of 1132	1668	oobeldr.exe	34
PID 1668 wrote to memory of 1132	1668	oobeldr.exe	34
PID 1668 wrote to memory of 1132	1668	oobeldr.exe	34
PID 1668 wrote to memory of 1132	1668	oobeldr.exe	34
PID 1668 wrote to memory of 1132	1668	oobeldr.exe	34
PID 1668 wrote to memory of 1132	1668	oobeldr.exe	34
PID 1668 wrote to memory of 1132	1668	oobeldr.exe	34
PID 1668 wrote to memory of 1132	1668	oobeldr.exe	34
PID 1668 wrote to memory of 1132	1668	oobeldr.exe	34
PID 1132 wrote to memory of 1680	1132	oobeldr.exe	35
PID 1132 wrote to memory of 1680	1132	oobeldr.exe	35
PID 1132 wrote to memory of 1680	1132	oobeldr.exe	35
PID 1132 wrote to memory of 1680	1132	oobeldr.exe	35
PID 1776 wrote to memory of 1972	1776	taskeng.exe	37
PID 1776 wrote to memory of 1972	1776	taskeng.exe	37
PID 1776 wrote to memory of 1972	1776	taskeng.exe	37
PID 1776 wrote to memory of 1972	1776	taskeng.exe	37
PID 1972 wrote to memory of 1740	1972	oobeldr.exe	38
PID 1972 wrote to memory of 1740	1972	oobeldr.exe	38
PID 1972 wrote to memory of 1740	1972	oobeldr.exe	38
PID 1972 wrote to memory of 1740	1972	oobeldr.exe	38
PID 1972 wrote to memory of 1740	1972	oobeldr.exe	38
PID 1972 wrote to memory of 1740	1972	oobeldr.exe	38
PID 1972 wrote to memory of 1740	1972	oobeldr.exe	38
PID 1972 wrote to memory of 1740	1972	oobeldr.exe	38
PID 1972 wrote to memory of 1740	1972	oobeldr.exe	38

C:\Users\Admin\AppData\Local\Temp\05bfe417ee4f03f5b676bc18178c7bd3.exe
"C:\Users\Admin\AppData\Local\Temp\05bfe417ee4f03f5b676bc18178c7bd3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\05bfe417ee4f03f5b676bc18178c7bd3.exe
  C:\Users\Admin\AppData\Local\Temp\05bfe417ee4f03f5b676bc18178c7bd3.exe
  2⤵
  PID:916
- C:\Users\Admin\AppData\Local\Temp\05bfe417ee4f03f5b676bc18178c7bd3.exe
  C:\Users\Admin\AppData\Local\Temp\05bfe417ee4f03f5b676bc18178c7bd3.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1176

C:\Windows\system32\taskeng.exe
taskeng.exe {502C6C93-6887-464B-A465-1A8A15C79B00} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:1680
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
325KB

MD5
05bfe417ee4f03f5b676bc18178c7bd3

SHA1
af90adcc4cfb084ede69230085ee9921d6349c88

SHA256
bd2ac3b25a348dc3c3d06c0278d4d0668f5b9c526ecf571b45ab0a2ae4c33b0c

SHA512
c5af4efa055669dff6ae665ade37f606d78f91be26033a4bf495f6211c1f4c9e9bb95aee804789517f9870f122e5a66972fa395d5851f971832a9e994b48d205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
325KB

MD5
05bfe417ee4f03f5b676bc18178c7bd3

SHA1
af90adcc4cfb084ede69230085ee9921d6349c88

SHA256
bd2ac3b25a348dc3c3d06c0278d4d0668f5b9c526ecf571b45ab0a2ae4c33b0c

SHA512
c5af4efa055669dff6ae665ade37f606d78f91be26033a4bf495f6211c1f4c9e9bb95aee804789517f9870f122e5a66972fa395d5851f971832a9e994b48d205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
325KB

MD5
05bfe417ee4f03f5b676bc18178c7bd3

SHA1
af90adcc4cfb084ede69230085ee9921d6349c88

SHA256
bd2ac3b25a348dc3c3d06c0278d4d0668f5b9c526ecf571b45ab0a2ae4c33b0c

SHA512
c5af4efa055669dff6ae665ade37f606d78f91be26033a4bf495f6211c1f4c9e9bb95aee804789517f9870f122e5a66972fa395d5851f971832a9e994b48d205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
325KB

MD5
05bfe417ee4f03f5b676bc18178c7bd3

SHA1
af90adcc4cfb084ede69230085ee9921d6349c88

SHA256
bd2ac3b25a348dc3c3d06c0278d4d0668f5b9c526ecf571b45ab0a2ae4c33b0c

SHA512
c5af4efa055669dff6ae665ade37f606d78f91be26033a4bf495f6211c1f4c9e9bb95aee804789517f9870f122e5a66972fa395d5851f971832a9e994b48d205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
325KB

MD5
05bfe417ee4f03f5b676bc18178c7bd3

SHA1
af90adcc4cfb084ede69230085ee9921d6349c88

SHA256
bd2ac3b25a348dc3c3d06c0278d4d0668f5b9c526ecf571b45ab0a2ae4c33b0c

SHA512
c5af4efa055669dff6ae665ade37f606d78f91be26033a4bf495f6211c1f4c9e9bb95aee804789517f9870f122e5a66972fa395d5851f971832a9e994b48d205

Download Submit
memory/912-61-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/912-58-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/912-62-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/912-63-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/912-67-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/912-59-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/912-69-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1668-73-0x00000000000B0000-0x0000000000106000-memory.dmp

Filesize
344KB

Download
memory/1972-89-0x00000000000B0000-0x0000000000106000-memory.dmp

Filesize
344KB

Download
memory/1992-54-0x0000000000160000-0x00000000001B6000-memory.dmp

Filesize
344KB

Download
memory/1992-57-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1992-56-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1992-55-0x00000000042F0000-0x00000000043BC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads