906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76

Analysis

max time kernel
147s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe
Size

329KB
MD5

9964609223dead88fd0a4cf5b652fdbe
SHA1

8a8debce9a4bfe49c57c63f640500f3c53733ef5
SHA256

906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76
SHA512

b51133cd9d41f0b450e0c2fd7b0a12ff45206c1f6a1be8884b2033ac9f4e8212f51dde31fb79995b002457a86db23c8f1f8423a20b08fddef2f749a017e67b98
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
4320	oobeldr.exe
3960	oobeldr.exe
1204	oobeldr.exe
1484	oobeldr.exe
4880	oobeldr.exe
3872	oobeldr.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 820 set thread context of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 4320 set thread context of 3960	4320	oobeldr.exe	88
PID 1204 set thread context of 1484	1204	oobeldr.exe	96
PID 4880 set thread context of 3872	4880	oobeldr.exe	98

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1648	schtasks.exe
2296	schtasks.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 820 wrote to memory of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 820 wrote to memory of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 820 wrote to memory of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 820 wrote to memory of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 820 wrote to memory of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 820 wrote to memory of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 820 wrote to memory of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 820 wrote to memory of 4104	820	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	81
PID 4104 wrote to memory of 1648	4104	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	82
PID 4104 wrote to memory of 1648	4104	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	82
PID 4104 wrote to memory of 1648	4104	906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe	82
PID 4320 wrote to memory of 3960	4320	oobeldr.exe	88
PID 4320 wrote to memory of 3960	4320	oobeldr.exe	88
PID 4320 wrote to memory of 3960	4320	oobeldr.exe	88
PID 4320 wrote to memory of 3960	4320	oobeldr.exe	88
PID 4320 wrote to memory of 3960	4320	oobeldr.exe	88
PID 4320 wrote to memory of 3960	4320	oobeldr.exe	88
PID 4320 wrote to memory of 3960	4320	oobeldr.exe	88
PID 4320 wrote to memory of 3960	4320	oobeldr.exe	88
PID 4320 wrote to memory of 3960	4320	oobeldr.exe	88
PID 3960 wrote to memory of 2296	3960	oobeldr.exe	90
PID 3960 wrote to memory of 2296	3960	oobeldr.exe	90
PID 3960 wrote to memory of 2296	3960	oobeldr.exe	90
PID 1204 wrote to memory of 1484	1204	oobeldr.exe	96
PID 1204 wrote to memory of 1484	1204	oobeldr.exe	96
PID 1204 wrote to memory of 1484	1204	oobeldr.exe	96
PID 1204 wrote to memory of 1484	1204	oobeldr.exe	96
PID 1204 wrote to memory of 1484	1204	oobeldr.exe	96
PID 1204 wrote to memory of 1484	1204	oobeldr.exe	96
PID 1204 wrote to memory of 1484	1204	oobeldr.exe	96
PID 1204 wrote to memory of 1484	1204	oobeldr.exe	96
PID 1204 wrote to memory of 1484	1204	oobeldr.exe	96
PID 4880 wrote to memory of 3872	4880	oobeldr.exe	98
PID 4880 wrote to memory of 3872	4880	oobeldr.exe	98
PID 4880 wrote to memory of 3872	4880	oobeldr.exe	98
PID 4880 wrote to memory of 3872	4880	oobeldr.exe	98
PID 4880 wrote to memory of 3872	4880	oobeldr.exe	98
PID 4880 wrote to memory of 3872	4880	oobeldr.exe	98
PID 4880 wrote to memory of 3872	4880	oobeldr.exe	98
PID 4880 wrote to memory of 3872	4880	oobeldr.exe	98
PID 4880 wrote to memory of 3872	4880	oobeldr.exe	98

C:\Users\Admin\AppData\Local\Temp\906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe
"C:\Users\Admin\AppData\Local\Temp\906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe
  C:\Users\Admin\AppData\Local\Temp\906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1648

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2296

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1484

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
03d2df1e8834bc4ec1756735429b458c

SHA1
4ee6c0f5b04c8e0c5076219c5724032daab11d40

SHA256
745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

SHA512
2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
9964609223dead88fd0a4cf5b652fdbe

SHA1
8a8debce9a4bfe49c57c63f640500f3c53733ef5

SHA256
906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76

SHA512
b51133cd9d41f0b450e0c2fd7b0a12ff45206c1f6a1be8884b2033ac9f4e8212f51dde31fb79995b002457a86db23c8f1f8423a20b08fddef2f749a017e67b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
9964609223dead88fd0a4cf5b652fdbe

SHA1
8a8debce9a4bfe49c57c63f640500f3c53733ef5

SHA256
906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76

SHA512
b51133cd9d41f0b450e0c2fd7b0a12ff45206c1f6a1be8884b2033ac9f4e8212f51dde31fb79995b002457a86db23c8f1f8423a20b08fddef2f749a017e67b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
9964609223dead88fd0a4cf5b652fdbe

SHA1
8a8debce9a4bfe49c57c63f640500f3c53733ef5

SHA256
906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76

SHA512
b51133cd9d41f0b450e0c2fd7b0a12ff45206c1f6a1be8884b2033ac9f4e8212f51dde31fb79995b002457a86db23c8f1f8423a20b08fddef2f749a017e67b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
9964609223dead88fd0a4cf5b652fdbe

SHA1
8a8debce9a4bfe49c57c63f640500f3c53733ef5

SHA256
906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76

SHA512
b51133cd9d41f0b450e0c2fd7b0a12ff45206c1f6a1be8884b2033ac9f4e8212f51dde31fb79995b002457a86db23c8f1f8423a20b08fddef2f749a017e67b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
9964609223dead88fd0a4cf5b652fdbe

SHA1
8a8debce9a4bfe49c57c63f640500f3c53733ef5

SHA256
906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76

SHA512
b51133cd9d41f0b450e0c2fd7b0a12ff45206c1f6a1be8884b2033ac9f4e8212f51dde31fb79995b002457a86db23c8f1f8423a20b08fddef2f749a017e67b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
9964609223dead88fd0a4cf5b652fdbe

SHA1
8a8debce9a4bfe49c57c63f640500f3c53733ef5

SHA256
906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76

SHA512
b51133cd9d41f0b450e0c2fd7b0a12ff45206c1f6a1be8884b2033ac9f4e8212f51dde31fb79995b002457a86db23c8f1f8423a20b08fddef2f749a017e67b98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
329KB

MD5
9964609223dead88fd0a4cf5b652fdbe

SHA1
8a8debce9a4bfe49c57c63f640500f3c53733ef5

SHA256
906d8af572facfac383ebbd05482f9f6683e1dcb0913dab7f09768e8f4e63f76

SHA512
b51133cd9d41f0b450e0c2fd7b0a12ff45206c1f6a1be8884b2033ac9f4e8212f51dde31fb79995b002457a86db23c8f1f8423a20b08fddef2f749a017e67b98

Download Submit
memory/820-134-0x0000000007A10000-0x0000000007AA2000-memory.dmp

Filesize
584KB

Download
memory/820-133-0x0000000007EE0000-0x0000000008484000-memory.dmp

Filesize
5.6MB

Download
memory/820-136-0x00000000079B0000-0x00000000079CE000-memory.dmp

Filesize
120KB

Download
memory/820-135-0x0000000007CB0000-0x0000000007D26000-memory.dmp

Filesize
472KB

Download
memory/820-132-0x0000000000B60000-0x0000000000BB6000-memory.dmp

Filesize
344KB

Download
memory/4104-142-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4104-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4104-138-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads