32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73 | Triage

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 09:17 UTC

Sharing

Report Analysis Logs

General

Target

32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe
Size

329KB
MD5

cab8d3eeab7441e95dc7e219c5840fe8
SHA1

a2324e91510d94b42d6b019099a7ac63a098763a
SHA256

32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73
SHA512

8ef359ef72c64f163347138df4e7b85cc01d6c83b7c6fe93e0a7f5d2158b631324757868ab6eb381a9701c15d13e8e3647e9ec673ed188d7a0b7d11c30bfec4a
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4704	oobeldr.exe
228	oobeldr.exe
3892	oobeldr.exe
4776	oobeldr.exe
2104	oobeldr.exe
4524	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4960 set thread context of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 4704 set thread context of 3892	4704	oobeldr.exe	87
PID 4776 set thread context of 2104	4776	oobeldr.exe	97

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
3260	schtasks.exe
3444	schtasks.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 4960 wrote to memory of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 4960 wrote to memory of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 4960 wrote to memory of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 4960 wrote to memory of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 4960 wrote to memory of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 4960 wrote to memory of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 4960 wrote to memory of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 4960 wrote to memory of 1896	4960	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	81
PID 1896 wrote to memory of 3444	1896	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	82
PID 1896 wrote to memory of 3444	1896	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	82
PID 1896 wrote to memory of 3444	1896	32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe	82
PID 4704 wrote to memory of 228	4704	oobeldr.exe	86
PID 4704 wrote to memory of 228	4704	oobeldr.exe	86
PID 4704 wrote to memory of 228	4704	oobeldr.exe	86
PID 4704 wrote to memory of 3892	4704	oobeldr.exe	87
PID 4704 wrote to memory of 3892	4704	oobeldr.exe	87
PID 4704 wrote to memory of 3892	4704	oobeldr.exe	87
PID 4704 wrote to memory of 3892	4704	oobeldr.exe	87
PID 4704 wrote to memory of 3892	4704	oobeldr.exe	87
PID 4704 wrote to memory of 3892	4704	oobeldr.exe	87
PID 4704 wrote to memory of 3892	4704	oobeldr.exe	87
PID 4704 wrote to memory of 3892	4704	oobeldr.exe	87
PID 4704 wrote to memory of 3892	4704	oobeldr.exe	87
PID 3892 wrote to memory of 3260	3892	oobeldr.exe	88
PID 3892 wrote to memory of 3260	3892	oobeldr.exe	88
PID 3892 wrote to memory of 3260	3892	oobeldr.exe	88
PID 4776 wrote to memory of 2104	4776	oobeldr.exe	97
PID 4776 wrote to memory of 2104	4776	oobeldr.exe	97
PID 4776 wrote to memory of 2104	4776	oobeldr.exe	97
PID 4776 wrote to memory of 2104	4776	oobeldr.exe	97
PID 4776 wrote to memory of 2104	4776	oobeldr.exe	97
PID 4776 wrote to memory of 2104	4776	oobeldr.exe	97
PID 4776 wrote to memory of 2104	4776	oobeldr.exe	97
PID 4776 wrote to memory of 2104	4776	oobeldr.exe	97
PID 4776 wrote to memory of 2104	4776	oobeldr.exe	97

C:\Users\Admin\AppData\Local\Temp\32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe
"C:\Users\Admin\AppData\Local\Temp\32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe
  C:\Users\Admin\AppData\Local\Temp\32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3444

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3260

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2104

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
PID:4524

Network

No results found

93.184.220.29:80

322 B
7
104.80.225.205:443

322 B
7
20.189.173.10:443

322 B
7
88.221.25.154:80

322 B
7
88.221.25.154:80

322 B
7

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
cab8d3eeab7441e95dc7e219c5840fe8

SHA1
a2324e91510d94b42d6b019099a7ac63a098763a

SHA256
32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73

SHA512
8ef359ef72c64f163347138df4e7b85cc01d6c83b7c6fe93e0a7f5d2158b631324757868ab6eb381a9701c15d13e8e3647e9ec673ed188d7a0b7d11c30bfec4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
cab8d3eeab7441e95dc7e219c5840fe8

SHA1
a2324e91510d94b42d6b019099a7ac63a098763a

SHA256
32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73

SHA512
8ef359ef72c64f163347138df4e7b85cc01d6c83b7c6fe93e0a7f5d2158b631324757868ab6eb381a9701c15d13e8e3647e9ec673ed188d7a0b7d11c30bfec4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
cab8d3eeab7441e95dc7e219c5840fe8

SHA1
a2324e91510d94b42d6b019099a7ac63a098763a

SHA256
32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73

SHA512
8ef359ef72c64f163347138df4e7b85cc01d6c83b7c6fe93e0a7f5d2158b631324757868ab6eb381a9701c15d13e8e3647e9ec673ed188d7a0b7d11c30bfec4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
cab8d3eeab7441e95dc7e219c5840fe8

SHA1
a2324e91510d94b42d6b019099a7ac63a098763a

SHA256
32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73

SHA512
8ef359ef72c64f163347138df4e7b85cc01d6c83b7c6fe93e0a7f5d2158b631324757868ab6eb381a9701c15d13e8e3647e9ec673ed188d7a0b7d11c30bfec4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
cab8d3eeab7441e95dc7e219c5840fe8

SHA1
a2324e91510d94b42d6b019099a7ac63a098763a

SHA256
32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73

SHA512
8ef359ef72c64f163347138df4e7b85cc01d6c83b7c6fe93e0a7f5d2158b631324757868ab6eb381a9701c15d13e8e3647e9ec673ed188d7a0b7d11c30bfec4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
cab8d3eeab7441e95dc7e219c5840fe8

SHA1
a2324e91510d94b42d6b019099a7ac63a098763a

SHA256
32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73

SHA512
8ef359ef72c64f163347138df4e7b85cc01d6c83b7c6fe93e0a7f5d2158b631324757868ab6eb381a9701c15d13e8e3647e9ec673ed188d7a0b7d11c30bfec4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
cab8d3eeab7441e95dc7e219c5840fe8

SHA1
a2324e91510d94b42d6b019099a7ac63a098763a

SHA256
32b5414915a336891ee9295c18f5294955679049b50c7352076d0f5be4777f73

SHA512
8ef359ef72c64f163347138df4e7b85cc01d6c83b7c6fe93e0a7f5d2158b631324757868ab6eb381a9701c15d13e8e3647e9ec673ed188d7a0b7d11c30bfec4a

Download Submit
memory/1896-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1896-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1896-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4960-132-0x0000000000730000-0x0000000000786000-memory.dmp

Filesize
344KB

Download
memory/4960-136-0x0000000005390000-0x00000000053AE000-memory.dmp

Filesize
120KB

Download
memory/4960-135-0x0000000008450000-0x00000000084C6000-memory.dmp

Filesize
472KB

Download
memory/4960-134-0x00000000076F0000-0x0000000007782000-memory.dmp

Filesize
584KB

Download
memory/4960-133-0x0000000007CA0000-0x0000000008244000-memory.dmp

Filesize
5.6MB

Download