f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84

Analysis

max time kernel
136s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 05:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe
Size

328KB
MD5

09ce7ca7261e2db9f3e2f66140ffa155
SHA1

f0ee98bbc907bb783a5355654009b28fac525a10
SHA256

f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84
SHA512

e74a0132a28a2cfb0fd4203686ff1cfcba3fcb6b6b3827e7d5ef6cfa958f85ff05c739b91d7a6a534fdf9e9efad61f7cc59deec1f0d8ef0bd688bb71b4a1c93d
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2056	oobeldr.exe
4172	oobeldr.exe
4716	oobeldr.exe
1856	oobeldr.exe
4920	oobeldr.exe
5028	oobeldr.exe
4872	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 2056 set thread context of 4716	2056	oobeldr.exe	90
PID 1856 set thread context of 4920	1856	oobeldr.exe	97
PID 5028 set thread context of 4872	5028	oobeldr.exe	99

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4632	schtasks.exe
3148	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 2140 wrote to memory of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 2140 wrote to memory of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 2140 wrote to memory of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 2140 wrote to memory of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 2140 wrote to memory of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 2140 wrote to memory of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 2140 wrote to memory of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 2140 wrote to memory of 4712	2140	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	81
PID 4712 wrote to memory of 4632	4712	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	82
PID 4712 wrote to memory of 4632	4712	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	82
PID 4712 wrote to memory of 4632	4712	f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe	82
PID 2056 wrote to memory of 4172	2056	oobeldr.exe	88
PID 2056 wrote to memory of 4172	2056	oobeldr.exe	88
PID 2056 wrote to memory of 4172	2056	oobeldr.exe	88
PID 2056 wrote to memory of 4716	2056	oobeldr.exe	90
PID 2056 wrote to memory of 4716	2056	oobeldr.exe	90
PID 2056 wrote to memory of 4716	2056	oobeldr.exe	90
PID 2056 wrote to memory of 4716	2056	oobeldr.exe	90
PID 2056 wrote to memory of 4716	2056	oobeldr.exe	90
PID 2056 wrote to memory of 4716	2056	oobeldr.exe	90
PID 2056 wrote to memory of 4716	2056	oobeldr.exe	90
PID 2056 wrote to memory of 4716	2056	oobeldr.exe	90
PID 2056 wrote to memory of 4716	2056	oobeldr.exe	90
PID 4716 wrote to memory of 3148	4716	oobeldr.exe	93
PID 4716 wrote to memory of 3148	4716	oobeldr.exe	93
PID 4716 wrote to memory of 3148	4716	oobeldr.exe	93
PID 1856 wrote to memory of 4920	1856	oobeldr.exe	97
PID 1856 wrote to memory of 4920	1856	oobeldr.exe	97
PID 1856 wrote to memory of 4920	1856	oobeldr.exe	97
PID 1856 wrote to memory of 4920	1856	oobeldr.exe	97
PID 1856 wrote to memory of 4920	1856	oobeldr.exe	97
PID 1856 wrote to memory of 4920	1856	oobeldr.exe	97
PID 1856 wrote to memory of 4920	1856	oobeldr.exe	97
PID 1856 wrote to memory of 4920	1856	oobeldr.exe	97
PID 1856 wrote to memory of 4920	1856	oobeldr.exe	97
PID 5028 wrote to memory of 4872	5028	oobeldr.exe	99
PID 5028 wrote to memory of 4872	5028	oobeldr.exe	99
PID 5028 wrote to memory of 4872	5028	oobeldr.exe	99
PID 5028 wrote to memory of 4872	5028	oobeldr.exe	99
PID 5028 wrote to memory of 4872	5028	oobeldr.exe	99
PID 5028 wrote to memory of 4872	5028	oobeldr.exe	99
PID 5028 wrote to memory of 4872	5028	oobeldr.exe	99
PID 5028 wrote to memory of 4872	5028	oobeldr.exe	99
PID 5028 wrote to memory of 4872	5028	oobeldr.exe	99

C:\Users\Admin\AppData\Local\Temp\f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe
"C:\Users\Admin\AppData\Local\Temp\f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe
  C:\Users\Admin\AppData\Local\Temp\f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4632

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3148

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4920

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
09ce7ca7261e2db9f3e2f66140ffa155

SHA1
f0ee98bbc907bb783a5355654009b28fac525a10

SHA256
f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84

SHA512
e74a0132a28a2cfb0fd4203686ff1cfcba3fcb6b6b3827e7d5ef6cfa958f85ff05c739b91d7a6a534fdf9e9efad61f7cc59deec1f0d8ef0bd688bb71b4a1c93d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
09ce7ca7261e2db9f3e2f66140ffa155

SHA1
f0ee98bbc907bb783a5355654009b28fac525a10

SHA256
f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84

SHA512
e74a0132a28a2cfb0fd4203686ff1cfcba3fcb6b6b3827e7d5ef6cfa958f85ff05c739b91d7a6a534fdf9e9efad61f7cc59deec1f0d8ef0bd688bb71b4a1c93d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
09ce7ca7261e2db9f3e2f66140ffa155

SHA1
f0ee98bbc907bb783a5355654009b28fac525a10

SHA256
f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84

SHA512
e74a0132a28a2cfb0fd4203686ff1cfcba3fcb6b6b3827e7d5ef6cfa958f85ff05c739b91d7a6a534fdf9e9efad61f7cc59deec1f0d8ef0bd688bb71b4a1c93d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
09ce7ca7261e2db9f3e2f66140ffa155

SHA1
f0ee98bbc907bb783a5355654009b28fac525a10

SHA256
f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84

SHA512
e74a0132a28a2cfb0fd4203686ff1cfcba3fcb6b6b3827e7d5ef6cfa958f85ff05c739b91d7a6a534fdf9e9efad61f7cc59deec1f0d8ef0bd688bb71b4a1c93d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
09ce7ca7261e2db9f3e2f66140ffa155

SHA1
f0ee98bbc907bb783a5355654009b28fac525a10

SHA256
f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84

SHA512
e74a0132a28a2cfb0fd4203686ff1cfcba3fcb6b6b3827e7d5ef6cfa958f85ff05c739b91d7a6a534fdf9e9efad61f7cc59deec1f0d8ef0bd688bb71b4a1c93d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
09ce7ca7261e2db9f3e2f66140ffa155

SHA1
f0ee98bbc907bb783a5355654009b28fac525a10

SHA256
f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84

SHA512
e74a0132a28a2cfb0fd4203686ff1cfcba3fcb6b6b3827e7d5ef6cfa958f85ff05c739b91d7a6a534fdf9e9efad61f7cc59deec1f0d8ef0bd688bb71b4a1c93d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
09ce7ca7261e2db9f3e2f66140ffa155

SHA1
f0ee98bbc907bb783a5355654009b28fac525a10

SHA256
f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84

SHA512
e74a0132a28a2cfb0fd4203686ff1cfcba3fcb6b6b3827e7d5ef6cfa958f85ff05c739b91d7a6a534fdf9e9efad61f7cc59deec1f0d8ef0bd688bb71b4a1c93d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
328KB

MD5
09ce7ca7261e2db9f3e2f66140ffa155

SHA1
f0ee98bbc907bb783a5355654009b28fac525a10

SHA256
f77ce3b89549e48355b210e8dbffb98017dd91e96d77eae3cc2585bd9098ac84

SHA512
e74a0132a28a2cfb0fd4203686ff1cfcba3fcb6b6b3827e7d5ef6cfa958f85ff05c739b91d7a6a534fdf9e9efad61f7cc59deec1f0d8ef0bd688bb71b4a1c93d

Download Submit
memory/2140-136-0x0000000007E70000-0x0000000007E8E000-memory.dmp

Filesize
120KB

Download
memory/2140-135-0x00000000081C0000-0x0000000008236000-memory.dmp

Filesize
472KB

Download
memory/2140-134-0x0000000007EA0000-0x0000000007F32000-memory.dmp

Filesize
584KB

Download
memory/2140-133-0x0000000008370000-0x0000000008914000-memory.dmp

Filesize
5.6MB

Download
memory/2140-132-0x0000000000EE0000-0x0000000000F36000-memory.dmp

Filesize
344KB

Download
memory/4712-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4712-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4712-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads