0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c

Analysis

max time kernel
128s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe
Size

329KB
MD5

f5b6953a902d738b472f94ea2de9d7d4
SHA1

258948ec1f768ab9d4a7595eec89cf5dc7b84687
SHA256

0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c
SHA512

0d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4800	oobeldr.exe
4264	oobeldr.exe
4668	oobeldr.exe
904	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1020 set thread context of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 4800 set thread context of 4264	4800	oobeldr.exe	93
PID 4668 set thread context of 904	4668	oobeldr.exe	97

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4832	schtasks.exe
5068	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 1020 wrote to memory of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 1020 wrote to memory of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 1020 wrote to memory of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 1020 wrote to memory of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 1020 wrote to memory of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 1020 wrote to memory of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 1020 wrote to memory of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 1020 wrote to memory of 2224	1020	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	82
PID 2224 wrote to memory of 4832	2224	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	83
PID 2224 wrote to memory of 4832	2224	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	83
PID 2224 wrote to memory of 4832	2224	0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe	83
PID 4800 wrote to memory of 4264	4800	oobeldr.exe	93
PID 4800 wrote to memory of 4264	4800	oobeldr.exe	93
PID 4800 wrote to memory of 4264	4800	oobeldr.exe	93
PID 4800 wrote to memory of 4264	4800	oobeldr.exe	93
PID 4800 wrote to memory of 4264	4800	oobeldr.exe	93
PID 4800 wrote to memory of 4264	4800	oobeldr.exe	93
PID 4800 wrote to memory of 4264	4800	oobeldr.exe	93
PID 4800 wrote to memory of 4264	4800	oobeldr.exe	93
PID 4800 wrote to memory of 4264	4800	oobeldr.exe	93
PID 4264 wrote to memory of 5068	4264	oobeldr.exe	94
PID 4264 wrote to memory of 5068	4264	oobeldr.exe	94
PID 4264 wrote to memory of 5068	4264	oobeldr.exe	94
PID 4668 wrote to memory of 904	4668	oobeldr.exe	97
PID 4668 wrote to memory of 904	4668	oobeldr.exe	97
PID 4668 wrote to memory of 904	4668	oobeldr.exe	97
PID 4668 wrote to memory of 904	4668	oobeldr.exe	97
PID 4668 wrote to memory of 904	4668	oobeldr.exe	97
PID 4668 wrote to memory of 904	4668	oobeldr.exe	97
PID 4668 wrote to memory of 904	4668	oobeldr.exe	97
PID 4668 wrote to memory of 904	4668	oobeldr.exe	97
PID 4668 wrote to memory of 904	4668	oobeldr.exe	97

C:\Users\Admin\AppData\Local\Temp\0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe
"C:\Users\Admin\AppData\Local\Temp\0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Temp\0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe
  C:\Users\Admin\AppData\Local\Temp\0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4832

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5068

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
f5b6953a902d738b472f94ea2de9d7d4

SHA1
258948ec1f768ab9d4a7595eec89cf5dc7b84687

SHA256
0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c

SHA512
0d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
f5b6953a902d738b472f94ea2de9d7d4

SHA1
258948ec1f768ab9d4a7595eec89cf5dc7b84687

SHA256
0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c

SHA512
0d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
f5b6953a902d738b472f94ea2de9d7d4

SHA1
258948ec1f768ab9d4a7595eec89cf5dc7b84687

SHA256
0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c

SHA512
0d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
f5b6953a902d738b472f94ea2de9d7d4

SHA1
258948ec1f768ab9d4a7595eec89cf5dc7b84687

SHA256
0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c

SHA512
0d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
f5b6953a902d738b472f94ea2de9d7d4

SHA1
258948ec1f768ab9d4a7595eec89cf5dc7b84687

SHA256
0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c

SHA512
0d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc

Download Submit
memory/1020-136-0x0000000007770000-0x000000000778E000-memory.dmp

Filesize
120KB

Download
memory/1020-132-0x00000000007E0000-0x0000000000836000-memory.dmp

Filesize
344KB

Download
memory/1020-135-0x0000000007A50000-0x0000000007AC6000-memory.dmp

Filesize
472KB

Download
memory/1020-134-0x00000000077B0000-0x0000000007842000-memory.dmp

Filesize
584KB

Download
memory/1020-133-0x0000000007CC0000-0x0000000008264000-memory.dmp

Filesize
5.6MB

Download
memory/2224-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2224-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2224-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads