Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2023, 08:57
Static task
static1
Behavioral task
behavioral1
Sample
0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe
Resource
win10v2004-20221111-en
General
-
Target
0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe
-
Size
329KB
-
MD5
f5b6953a902d738b472f94ea2de9d7d4
-
SHA1
258948ec1f768ab9d4a7595eec89cf5dc7b84687
-
SHA256
0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c
-
SHA512
0d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc
-
SSDEEP
6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4800 oobeldr.exe 4264 oobeldr.exe 4668 oobeldr.exe 904 oobeldr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1020 set thread context of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 4800 set thread context of 4264 4800 oobeldr.exe 93 PID 4668 set thread context of 904 4668 oobeldr.exe 97 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4832 schtasks.exe 5068 schtasks.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1020 wrote to memory of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 1020 wrote to memory of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 1020 wrote to memory of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 1020 wrote to memory of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 1020 wrote to memory of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 1020 wrote to memory of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 1020 wrote to memory of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 1020 wrote to memory of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 1020 wrote to memory of 2224 1020 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 82 PID 2224 wrote to memory of 4832 2224 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 83 PID 2224 wrote to memory of 4832 2224 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 83 PID 2224 wrote to memory of 4832 2224 0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe 83 PID 4800 wrote to memory of 4264 4800 oobeldr.exe 93 PID 4800 wrote to memory of 4264 4800 oobeldr.exe 93 PID 4800 wrote to memory of 4264 4800 oobeldr.exe 93 PID 4800 wrote to memory of 4264 4800 oobeldr.exe 93 PID 4800 wrote to memory of 4264 4800 oobeldr.exe 93 PID 4800 wrote to memory of 4264 4800 oobeldr.exe 93 PID 4800 wrote to memory of 4264 4800 oobeldr.exe 93 PID 4800 wrote to memory of 4264 4800 oobeldr.exe 93 PID 4800 wrote to memory of 4264 4800 oobeldr.exe 93 PID 4264 wrote to memory of 5068 4264 oobeldr.exe 94 PID 4264 wrote to memory of 5068 4264 oobeldr.exe 94 PID 4264 wrote to memory of 5068 4264 oobeldr.exe 94 PID 4668 wrote to memory of 904 4668 oobeldr.exe 97 PID 4668 wrote to memory of 904 4668 oobeldr.exe 97 PID 4668 wrote to memory of 904 4668 oobeldr.exe 97 PID 4668 wrote to memory of 904 4668 oobeldr.exe 97 PID 4668 wrote to memory of 904 4668 oobeldr.exe 97 PID 4668 wrote to memory of 904 4668 oobeldr.exe 97 PID 4668 wrote to memory of 904 4668 oobeldr.exe 97 PID 4668 wrote to memory of 904 4668 oobeldr.exe 97 PID 4668 wrote to memory of 904 4668 oobeldr.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe"C:\Users\Admin\AppData\Local\Temp\0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exeC:\Users\Admin\AppData\Local\Temp\0ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:4832
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:5068
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:904
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789B
MD503d2df1e8834bc4ec1756735429b458c
SHA14ee6c0f5b04c8e0c5076219c5724032daab11d40
SHA256745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631
SHA5122482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b
-
Filesize
329KB
MD5f5b6953a902d738b472f94ea2de9d7d4
SHA1258948ec1f768ab9d4a7595eec89cf5dc7b84687
SHA2560ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c
SHA5120d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc
-
Filesize
329KB
MD5f5b6953a902d738b472f94ea2de9d7d4
SHA1258948ec1f768ab9d4a7595eec89cf5dc7b84687
SHA2560ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c
SHA5120d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc
-
Filesize
329KB
MD5f5b6953a902d738b472f94ea2de9d7d4
SHA1258948ec1f768ab9d4a7595eec89cf5dc7b84687
SHA2560ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c
SHA5120d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc
-
Filesize
329KB
MD5f5b6953a902d738b472f94ea2de9d7d4
SHA1258948ec1f768ab9d4a7595eec89cf5dc7b84687
SHA2560ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c
SHA5120d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc
-
Filesize
329KB
MD5f5b6953a902d738b472f94ea2de9d7d4
SHA1258948ec1f768ab9d4a7595eec89cf5dc7b84687
SHA2560ff9371f8be8bbb39dd2c9c58934e75e3ad77a307701259fa3bc3f24a64ec06c
SHA5120d6b745d957f020b816ab2bf74010c141bdbcf03f31ed65cf9fa6ab5b9328f08c2050f424e83cf42089b936024c195bb213abcbd946e4bca1e5e42d25bbd4ecc