3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2

Analysis

max time kernel
111s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 08:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe
Size

329KB
MD5

610cb2ada412e7eef7cfabfbaa3064bb
SHA1

74f34d79d03248e00de60a74654115fa7ef9251f
SHA256

3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2
SHA512

1f12f312b7fabf8735d5039830d33edc11fdfecd3776a4e469006d336878e913471c6a309b31f4adc1465d686208296a26d69a0f040dce0f17650f97e9e3a4c9
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4172	oobeldr.exe
4048	oobeldr.exe
4208	oobeldr.exe
4760	oobeldr.exe
3448	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 4172 set thread context of 4048	4172	oobeldr.exe	91
PID 4208 set thread context of 3448	4208	oobeldr.exe	96

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
344	schtasks.exe
3756	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 2400 wrote to memory of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 2400 wrote to memory of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 2400 wrote to memory of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 2400 wrote to memory of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 2400 wrote to memory of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 2400 wrote to memory of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 2400 wrote to memory of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 2400 wrote to memory of 2088	2400	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	80
PID 2088 wrote to memory of 344	2088	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	84
PID 2088 wrote to memory of 344	2088	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	84
PID 2088 wrote to memory of 344	2088	3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe	84
PID 4172 wrote to memory of 4048	4172	oobeldr.exe	91
PID 4172 wrote to memory of 4048	4172	oobeldr.exe	91
PID 4172 wrote to memory of 4048	4172	oobeldr.exe	91
PID 4172 wrote to memory of 4048	4172	oobeldr.exe	91
PID 4172 wrote to memory of 4048	4172	oobeldr.exe	91
PID 4172 wrote to memory of 4048	4172	oobeldr.exe	91
PID 4172 wrote to memory of 4048	4172	oobeldr.exe	91
PID 4172 wrote to memory of 4048	4172	oobeldr.exe	91
PID 4172 wrote to memory of 4048	4172	oobeldr.exe	91
PID 4048 wrote to memory of 3756	4048	oobeldr.exe	92
PID 4048 wrote to memory of 3756	4048	oobeldr.exe	92
PID 4048 wrote to memory of 3756	4048	oobeldr.exe	92
PID 4208 wrote to memory of 4760	4208	oobeldr.exe	95
PID 4208 wrote to memory of 4760	4208	oobeldr.exe	95
PID 4208 wrote to memory of 4760	4208	oobeldr.exe	95
PID 4208 wrote to memory of 3448	4208	oobeldr.exe	96
PID 4208 wrote to memory of 3448	4208	oobeldr.exe	96
PID 4208 wrote to memory of 3448	4208	oobeldr.exe	96
PID 4208 wrote to memory of 3448	4208	oobeldr.exe	96
PID 4208 wrote to memory of 3448	4208	oobeldr.exe	96
PID 4208 wrote to memory of 3448	4208	oobeldr.exe	96
PID 4208 wrote to memory of 3448	4208	oobeldr.exe	96
PID 4208 wrote to memory of 3448	4208	oobeldr.exe	96
PID 4208 wrote to memory of 3448	4208	oobeldr.exe	96

C:\Users\Admin\AppData\Local\Temp\3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe
"C:\Users\Admin\AppData\Local\Temp\3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe
  C:\Users\Admin\AppData\Local\Temp\3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:344

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3756

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
610cb2ada412e7eef7cfabfbaa3064bb

SHA1
74f34d79d03248e00de60a74654115fa7ef9251f

SHA256
3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2

SHA512
1f12f312b7fabf8735d5039830d33edc11fdfecd3776a4e469006d336878e913471c6a309b31f4adc1465d686208296a26d69a0f040dce0f17650f97e9e3a4c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
610cb2ada412e7eef7cfabfbaa3064bb

SHA1
74f34d79d03248e00de60a74654115fa7ef9251f

SHA256
3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2

SHA512
1f12f312b7fabf8735d5039830d33edc11fdfecd3776a4e469006d336878e913471c6a309b31f4adc1465d686208296a26d69a0f040dce0f17650f97e9e3a4c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
610cb2ada412e7eef7cfabfbaa3064bb

SHA1
74f34d79d03248e00de60a74654115fa7ef9251f

SHA256
3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2

SHA512
1f12f312b7fabf8735d5039830d33edc11fdfecd3776a4e469006d336878e913471c6a309b31f4adc1465d686208296a26d69a0f040dce0f17650f97e9e3a4c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
610cb2ada412e7eef7cfabfbaa3064bb

SHA1
74f34d79d03248e00de60a74654115fa7ef9251f

SHA256
3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2

SHA512
1f12f312b7fabf8735d5039830d33edc11fdfecd3776a4e469006d336878e913471c6a309b31f4adc1465d686208296a26d69a0f040dce0f17650f97e9e3a4c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
610cb2ada412e7eef7cfabfbaa3064bb

SHA1
74f34d79d03248e00de60a74654115fa7ef9251f

SHA256
3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2

SHA512
1f12f312b7fabf8735d5039830d33edc11fdfecd3776a4e469006d336878e913471c6a309b31f4adc1465d686208296a26d69a0f040dce0f17650f97e9e3a4c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
610cb2ada412e7eef7cfabfbaa3064bb

SHA1
74f34d79d03248e00de60a74654115fa7ef9251f

SHA256
3f16fa8cc350e2c4bef1790e38f93fa292f42ffeb5d0b0a6f00a4974f4d917d2

SHA512
1f12f312b7fabf8735d5039830d33edc11fdfecd3776a4e469006d336878e913471c6a309b31f4adc1465d686208296a26d69a0f040dce0f17650f97e9e3a4c9

Download Submit
memory/2088-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2088-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2088-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2400-135-0x00000000076A0000-0x0000000007716000-memory.dmp

Filesize
472KB

Download
memory/2400-134-0x0000000007400000-0x0000000007492000-memory.dmp

Filesize
584KB

Download
memory/2400-132-0x00000000003D0000-0x0000000000426000-memory.dmp

Filesize
344KB

Download
memory/2400-133-0x0000000007910000-0x0000000007EB4000-memory.dmp

Filesize
5.6MB

Download
memory/2400-136-0x0000000007360000-0x000000000737E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads