1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb

Analysis

max time kernel
148s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe
Size

329KB
MD5

836d03b34a027c5b15ac8a93baab7409
SHA1

48f6cf5942dbd439f6a7e50fa11aa7eeece7ac58
SHA256

1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb
SHA512

be7dc376a4ba3de47e0e712123cd9b00e5c1c49cf26faa4bc1db88e50c1737ea61ab99908246b26534782517d8859f5a2648c763c3f63971f507d54e3dc0336b
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2136	oobeldr.exe
3376	oobeldr.exe
4248	oobeldr.exe
404	oobeldr.exe
3960	oobeldr.exe
1964	oobeldr.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4908 set thread context of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 2136 set thread context of 3376	2136	oobeldr.exe	91
PID 4248 set thread context of 404	4248	oobeldr.exe	96

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2372	404	WerFault.exe	96

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1696	schtasks.exe
256	schtasks.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
404	oobeldr.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 4908 wrote to memory of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 4908 wrote to memory of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 4908 wrote to memory of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 4908 wrote to memory of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 4908 wrote to memory of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 4908 wrote to memory of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 4908 wrote to memory of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 4908 wrote to memory of 1316	4908	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	81
PID 1316 wrote to memory of 1696	1316	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	85
PID 1316 wrote to memory of 1696	1316	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	85
PID 1316 wrote to memory of 1696	1316	1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe	85
PID 2136 wrote to memory of 3376	2136	oobeldr.exe	91
PID 2136 wrote to memory of 3376	2136	oobeldr.exe	91
PID 2136 wrote to memory of 3376	2136	oobeldr.exe	91
PID 2136 wrote to memory of 3376	2136	oobeldr.exe	91
PID 2136 wrote to memory of 3376	2136	oobeldr.exe	91
PID 2136 wrote to memory of 3376	2136	oobeldr.exe	91
PID 2136 wrote to memory of 3376	2136	oobeldr.exe	91
PID 2136 wrote to memory of 3376	2136	oobeldr.exe	91
PID 2136 wrote to memory of 3376	2136	oobeldr.exe	91
PID 3376 wrote to memory of 256	3376	oobeldr.exe	92
PID 3376 wrote to memory of 256	3376	oobeldr.exe	92
PID 3376 wrote to memory of 256	3376	oobeldr.exe	92
PID 4248 wrote to memory of 404	4248	oobeldr.exe	96
PID 4248 wrote to memory of 404	4248	oobeldr.exe	96
PID 4248 wrote to memory of 404	4248	oobeldr.exe	96
PID 4248 wrote to memory of 404	4248	oobeldr.exe	96
PID 4248 wrote to memory of 404	4248	oobeldr.exe	96
PID 4248 wrote to memory of 404	4248	oobeldr.exe	96
PID 4248 wrote to memory of 404	4248	oobeldr.exe	96
PID 4248 wrote to memory of 404	4248	oobeldr.exe	96
PID 4248 wrote to memory of 404	4248	oobeldr.exe	96
PID 3960 wrote to memory of 1964	3960	oobeldr.exe	101
PID 3960 wrote to memory of 1964	3960	oobeldr.exe	101
PID 3960 wrote to memory of 1964	3960	oobeldr.exe	101
PID 3960 wrote to memory of 2944	3960	oobeldr.exe	102
PID 3960 wrote to memory of 2944	3960	oobeldr.exe	102
PID 3960 wrote to memory of 2944	3960	oobeldr.exe	102

C:\Users\Admin\AppData\Local\Temp\1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe
"C:\Users\Admin\AppData\Local\Temp\1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe
  C:\Users\Admin\AppData\Local\Temp\1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1696

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:256

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 12
    3⤵
    - Program crash
    PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404
1⤵
PID:3816

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  PID:2944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
836d03b34a027c5b15ac8a93baab7409

SHA1
48f6cf5942dbd439f6a7e50fa11aa7eeece7ac58

SHA256
1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb

SHA512
be7dc376a4ba3de47e0e712123cd9b00e5c1c49cf26faa4bc1db88e50c1737ea61ab99908246b26534782517d8859f5a2648c763c3f63971f507d54e3dc0336b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
836d03b34a027c5b15ac8a93baab7409

SHA1
48f6cf5942dbd439f6a7e50fa11aa7eeece7ac58

SHA256
1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb

SHA512
be7dc376a4ba3de47e0e712123cd9b00e5c1c49cf26faa4bc1db88e50c1737ea61ab99908246b26534782517d8859f5a2648c763c3f63971f507d54e3dc0336b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
836d03b34a027c5b15ac8a93baab7409

SHA1
48f6cf5942dbd439f6a7e50fa11aa7eeece7ac58

SHA256
1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb

SHA512
be7dc376a4ba3de47e0e712123cd9b00e5c1c49cf26faa4bc1db88e50c1737ea61ab99908246b26534782517d8859f5a2648c763c3f63971f507d54e3dc0336b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
836d03b34a027c5b15ac8a93baab7409

SHA1
48f6cf5942dbd439f6a7e50fa11aa7eeece7ac58

SHA256
1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb

SHA512
be7dc376a4ba3de47e0e712123cd9b00e5c1c49cf26faa4bc1db88e50c1737ea61ab99908246b26534782517d8859f5a2648c763c3f63971f507d54e3dc0336b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
836d03b34a027c5b15ac8a93baab7409

SHA1
48f6cf5942dbd439f6a7e50fa11aa7eeece7ac58

SHA256
1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb

SHA512
be7dc376a4ba3de47e0e712123cd9b00e5c1c49cf26faa4bc1db88e50c1737ea61ab99908246b26534782517d8859f5a2648c763c3f63971f507d54e3dc0336b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
836d03b34a027c5b15ac8a93baab7409

SHA1
48f6cf5942dbd439f6a7e50fa11aa7eeece7ac58

SHA256
1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb

SHA512
be7dc376a4ba3de47e0e712123cd9b00e5c1c49cf26faa4bc1db88e50c1737ea61ab99908246b26534782517d8859f5a2648c763c3f63971f507d54e3dc0336b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
836d03b34a027c5b15ac8a93baab7409

SHA1
48f6cf5942dbd439f6a7e50fa11aa7eeece7ac58

SHA256
1fe2bbc876de2eb573bbf6eba7b80a68b7dab194ed36ea5bd9601dd31dfab9bb

SHA512
be7dc376a4ba3de47e0e712123cd9b00e5c1c49cf26faa4bc1db88e50c1737ea61ab99908246b26534782517d8859f5a2648c763c3f63971f507d54e3dc0336b

Download Submit
memory/1316-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1316-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1316-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4908-135-0x0000000007DE0000-0x0000000007E56000-memory.dmp

Filesize
472KB

Download
memory/4908-134-0x0000000007AC0000-0x0000000007B52000-memory.dmp

Filesize
584KB

Download
memory/4908-136-0x0000000007AA0000-0x0000000007ABE000-memory.dmp

Filesize
120KB

Download
memory/4908-132-0x0000000000B10000-0x0000000000B66000-memory.dmp

Filesize
344KB

Download
memory/4908-133-0x0000000007F90000-0x0000000008534000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads