98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211 | Triage

Analysis

max time kernel
129s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 05:17 UTC

Sharing

Report Analysis Logs

General

Target

98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe
Size

328KB
MD5

40018d790c97eab2d36d7ab2ac17c7f9
SHA1

3c1a6238a1f13437f37fd418858b0f317f8ace2c
SHA256

98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211
SHA512

169f223766a435f4a74a007694cb6cca6ef70aaf79d188805c969bd871e8a58ce26008771eaa53fb8c634805dc0fb8a90f99695a4c6d09b1bcedd3182d3c44c3
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1244	oobeldr.exe
2480	oobeldr.exe
1248	oobeldr.exe
2944	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 1244 set thread context of 2480	1244	oobeldr.exe	87
PID 1248 set thread context of 2944	1248	oobeldr.exe	97

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
4876	schtasks.exe
3824	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 1716 wrote to memory of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 1716 wrote to memory of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 1716 wrote to memory of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 1716 wrote to memory of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 1716 wrote to memory of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 1716 wrote to memory of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 1716 wrote to memory of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 1716 wrote to memory of 4928	1716	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	82
PID 4928 wrote to memory of 4876	4928	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	83
PID 4928 wrote to memory of 4876	4928	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	83
PID 4928 wrote to memory of 4876	4928	98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe	83
PID 1244 wrote to memory of 2480	1244	oobeldr.exe	87
PID 1244 wrote to memory of 2480	1244	oobeldr.exe	87
PID 1244 wrote to memory of 2480	1244	oobeldr.exe	87
PID 1244 wrote to memory of 2480	1244	oobeldr.exe	87
PID 1244 wrote to memory of 2480	1244	oobeldr.exe	87
PID 1244 wrote to memory of 2480	1244	oobeldr.exe	87
PID 1244 wrote to memory of 2480	1244	oobeldr.exe	87
PID 1244 wrote to memory of 2480	1244	oobeldr.exe	87
PID 1244 wrote to memory of 2480	1244	oobeldr.exe	87
PID 2480 wrote to memory of 3824	2480	oobeldr.exe	88
PID 2480 wrote to memory of 3824	2480	oobeldr.exe	88
PID 2480 wrote to memory of 3824	2480	oobeldr.exe	88
PID 1248 wrote to memory of 2944	1248	oobeldr.exe	97
PID 1248 wrote to memory of 2944	1248	oobeldr.exe	97
PID 1248 wrote to memory of 2944	1248	oobeldr.exe	97
PID 1248 wrote to memory of 2944	1248	oobeldr.exe	97
PID 1248 wrote to memory of 2944	1248	oobeldr.exe	97
PID 1248 wrote to memory of 2944	1248	oobeldr.exe	97
PID 1248 wrote to memory of 2944	1248	oobeldr.exe	97
PID 1248 wrote to memory of 2944	1248	oobeldr.exe	97
PID 1248 wrote to memory of 2944	1248	oobeldr.exe	97

C:\Users\Admin\AppData\Local\Temp\98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe
"C:\Users\Admin\AppData\Local\Temp\98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe
  C:\Users\Admin\AppData\Local\Temp\98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4876

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3824

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2944

Network

No results found

52.109.8.86:443

40 B
1
93.184.220.29:80

322 B
7
8.253.208.113:80

322 B
7
8.253.208.113:80

322 B
7
8.253.208.113:80

322 B
7
8.253.208.113:80

322 B
7
104.80.225.205:443

322 B
7

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
40018d790c97eab2d36d7ab2ac17c7f9

SHA1
3c1a6238a1f13437f37fd418858b0f317f8ace2c

SHA256
98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211

SHA512
169f223766a435f4a74a007694cb6cca6ef70aaf79d188805c969bd871e8a58ce26008771eaa53fb8c634805dc0fb8a90f99695a4c6d09b1bcedd3182d3c44c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
40018d790c97eab2d36d7ab2ac17c7f9

SHA1
3c1a6238a1f13437f37fd418858b0f317f8ace2c

SHA256
98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211

SHA512
169f223766a435f4a74a007694cb6cca6ef70aaf79d188805c969bd871e8a58ce26008771eaa53fb8c634805dc0fb8a90f99695a4c6d09b1bcedd3182d3c44c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
40018d790c97eab2d36d7ab2ac17c7f9

SHA1
3c1a6238a1f13437f37fd418858b0f317f8ace2c

SHA256
98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211

SHA512
169f223766a435f4a74a007694cb6cca6ef70aaf79d188805c969bd871e8a58ce26008771eaa53fb8c634805dc0fb8a90f99695a4c6d09b1bcedd3182d3c44c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
40018d790c97eab2d36d7ab2ac17c7f9

SHA1
3c1a6238a1f13437f37fd418858b0f317f8ace2c

SHA256
98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211

SHA512
169f223766a435f4a74a007694cb6cca6ef70aaf79d188805c969bd871e8a58ce26008771eaa53fb8c634805dc0fb8a90f99695a4c6d09b1bcedd3182d3c44c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
40018d790c97eab2d36d7ab2ac17c7f9

SHA1
3c1a6238a1f13437f37fd418858b0f317f8ace2c

SHA256
98fa7f4dcfd4e338b44ef15bb0d08baa873ed833fa3e63a18d54f357e8889211

SHA512
169f223766a435f4a74a007694cb6cca6ef70aaf79d188805c969bd871e8a58ce26008771eaa53fb8c634805dc0fb8a90f99695a4c6d09b1bcedd3182d3c44c3

Download Submit
memory/1716-133-0x0000000007A90000-0x0000000008034000-memory.dmp

Filesize
5.6MB

Download
memory/1716-134-0x00000000075C0000-0x0000000007652000-memory.dmp

Filesize
584KB

Download
memory/1716-135-0x0000000007860000-0x00000000078D6000-memory.dmp

Filesize
472KB

Download
memory/1716-136-0x0000000007580000-0x000000000759E000-memory.dmp

Filesize
120KB

Download
memory/1716-132-0x00000000005F0000-0x0000000000646000-memory.dmp

Filesize
344KB

Download
memory/4928-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4928-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4928-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download