5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe
Size

329KB
MD5

98421c995f80a838d461351675c9c7ff
SHA1

b213a8837ac1d6ee75f0d7a5a13d6dea0ef9d35b
SHA256

5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569
SHA512

6128a15cdc4c55d29132e0d2b5b4948bca18b808080faf16a00f8a0f56f8ee38c9eac42bb26d0e16a3d9177b34f824c1fd93103031e48f26aef4976a014c180f
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
208	oobeldr.exe
860	oobeldr.exe
1204	oobeldr.exe
3088	oobeldr.exe
1364	oobeldr.exe
3068	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 208 set thread context of 860	208	oobeldr.exe	85
PID 1204 set thread context of 3088	1204	oobeldr.exe	96
PID 1364 set thread context of 3068	1364	oobeldr.exe	98

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4932	schtasks.exe
1916	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 2920 wrote to memory of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 2920 wrote to memory of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 2920 wrote to memory of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 2920 wrote to memory of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 2920 wrote to memory of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 2920 wrote to memory of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 2920 wrote to memory of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 2920 wrote to memory of 728	2920	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	81
PID 728 wrote to memory of 4932	728	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	82
PID 728 wrote to memory of 4932	728	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	82
PID 728 wrote to memory of 4932	728	5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe	82
PID 208 wrote to memory of 860	208	oobeldr.exe	85
PID 208 wrote to memory of 860	208	oobeldr.exe	85
PID 208 wrote to memory of 860	208	oobeldr.exe	85
PID 208 wrote to memory of 860	208	oobeldr.exe	85
PID 208 wrote to memory of 860	208	oobeldr.exe	85
PID 208 wrote to memory of 860	208	oobeldr.exe	85
PID 208 wrote to memory of 860	208	oobeldr.exe	85
PID 208 wrote to memory of 860	208	oobeldr.exe	85
PID 208 wrote to memory of 860	208	oobeldr.exe	85
PID 860 wrote to memory of 1916	860	oobeldr.exe	87
PID 860 wrote to memory of 1916	860	oobeldr.exe	87
PID 860 wrote to memory of 1916	860	oobeldr.exe	87
PID 1204 wrote to memory of 3088	1204	oobeldr.exe	96
PID 1204 wrote to memory of 3088	1204	oobeldr.exe	96
PID 1204 wrote to memory of 3088	1204	oobeldr.exe	96
PID 1204 wrote to memory of 3088	1204	oobeldr.exe	96
PID 1204 wrote to memory of 3088	1204	oobeldr.exe	96
PID 1204 wrote to memory of 3088	1204	oobeldr.exe	96
PID 1204 wrote to memory of 3088	1204	oobeldr.exe	96
PID 1204 wrote to memory of 3088	1204	oobeldr.exe	96
PID 1204 wrote to memory of 3088	1204	oobeldr.exe	96
PID 1364 wrote to memory of 3068	1364	oobeldr.exe	98
PID 1364 wrote to memory of 3068	1364	oobeldr.exe	98
PID 1364 wrote to memory of 3068	1364	oobeldr.exe	98
PID 1364 wrote to memory of 3068	1364	oobeldr.exe	98
PID 1364 wrote to memory of 3068	1364	oobeldr.exe	98
PID 1364 wrote to memory of 3068	1364	oobeldr.exe	98
PID 1364 wrote to memory of 3068	1364	oobeldr.exe	98
PID 1364 wrote to memory of 3068	1364	oobeldr.exe	98
PID 1364 wrote to memory of 3068	1364	oobeldr.exe	98

C:\Users\Admin\AppData\Local\Temp\5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe
"C:\Users\Admin\AppData\Local\Temp\5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe
  C:\Users\Admin\AppData\Local\Temp\5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4932

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:208
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1916

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3088

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
98421c995f80a838d461351675c9c7ff

SHA1
b213a8837ac1d6ee75f0d7a5a13d6dea0ef9d35b

SHA256
5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569

SHA512
6128a15cdc4c55d29132e0d2b5b4948bca18b808080faf16a00f8a0f56f8ee38c9eac42bb26d0e16a3d9177b34f824c1fd93103031e48f26aef4976a014c180f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
98421c995f80a838d461351675c9c7ff

SHA1
b213a8837ac1d6ee75f0d7a5a13d6dea0ef9d35b

SHA256
5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569

SHA512
6128a15cdc4c55d29132e0d2b5b4948bca18b808080faf16a00f8a0f56f8ee38c9eac42bb26d0e16a3d9177b34f824c1fd93103031e48f26aef4976a014c180f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
98421c995f80a838d461351675c9c7ff

SHA1
b213a8837ac1d6ee75f0d7a5a13d6dea0ef9d35b

SHA256
5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569

SHA512
6128a15cdc4c55d29132e0d2b5b4948bca18b808080faf16a00f8a0f56f8ee38c9eac42bb26d0e16a3d9177b34f824c1fd93103031e48f26aef4976a014c180f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
98421c995f80a838d461351675c9c7ff

SHA1
b213a8837ac1d6ee75f0d7a5a13d6dea0ef9d35b

SHA256
5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569

SHA512
6128a15cdc4c55d29132e0d2b5b4948bca18b808080faf16a00f8a0f56f8ee38c9eac42bb26d0e16a3d9177b34f824c1fd93103031e48f26aef4976a014c180f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
98421c995f80a838d461351675c9c7ff

SHA1
b213a8837ac1d6ee75f0d7a5a13d6dea0ef9d35b

SHA256
5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569

SHA512
6128a15cdc4c55d29132e0d2b5b4948bca18b808080faf16a00f8a0f56f8ee38c9eac42bb26d0e16a3d9177b34f824c1fd93103031e48f26aef4976a014c180f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
98421c995f80a838d461351675c9c7ff

SHA1
b213a8837ac1d6ee75f0d7a5a13d6dea0ef9d35b

SHA256
5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569

SHA512
6128a15cdc4c55d29132e0d2b5b4948bca18b808080faf16a00f8a0f56f8ee38c9eac42bb26d0e16a3d9177b34f824c1fd93103031e48f26aef4976a014c180f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
98421c995f80a838d461351675c9c7ff

SHA1
b213a8837ac1d6ee75f0d7a5a13d6dea0ef9d35b

SHA256
5552a8ba01f05afedee41ac9db2cab577f462897f973605a2fbb9d4ad9d83569

SHA512
6128a15cdc4c55d29132e0d2b5b4948bca18b808080faf16a00f8a0f56f8ee38c9eac42bb26d0e16a3d9177b34f824c1fd93103031e48f26aef4976a014c180f

Download Submit
memory/728-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/728-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/728-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/728-137-0x0000000000000000-mapping.dmp

Download
memory/860-145-0x0000000000000000-mapping.dmp

Download
memory/1916-150-0x0000000000000000-mapping.dmp

Download
memory/2920-134-0x0000000007B20000-0x0000000007BB2000-memory.dmp

Filesize
584KB

Download
memory/2920-132-0x0000000000B60000-0x0000000000BB6000-memory.dmp

Filesize
344KB

Download
memory/2920-133-0x0000000008030000-0x00000000085D4000-memory.dmp

Filesize
5.6MB

Download
memory/2920-135-0x0000000007E40000-0x0000000007EB6000-memory.dmp

Filesize
472KB

Download
memory/2920-136-0x0000000007AF0000-0x0000000007B0E000-memory.dmp

Filesize
120KB

Download
memory/3068-159-0x0000000000000000-mapping.dmp

Download
memory/3088-153-0x0000000000000000-mapping.dmp

Download
memory/4932-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads