Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
239s -
max time network
180s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
05/02/2023, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe
Resource
win10-20220812-en
General
-
Target
556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe
-
Size
1.2MB
-
MD5
c2e1f7053399c7ef6794899229759d45
-
SHA1
8966b43643502130633fcac26eec77bd6597643f
-
SHA256
556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
-
SHA512
f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
SSDEEP
12288:3FpiynWz6ktHUB7lceAvgDl+t4EUSIr0eaBiqXLtb3viAYf1w:3F05iZ
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
pid Process 3208 oobeldr.exe 3832 oobeldr.exe 4212 oobeldr.exe 1056 oobeldr.exe 1568 oobeldr.exe 2152 oobeldr.exe 4952 oobeldr.exe 2840 oobeldr.exe 3580 oobeldr.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1524 set thread context of 4264 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 66 PID 3208 set thread context of 3832 3208 oobeldr.exe 70 PID 4212 set thread context of 1056 4212 oobeldr.exe 74 PID 1568 set thread context of 2152 1568 oobeldr.exe 76 PID 4952 set thread context of 3580 4952 oobeldr.exe 79 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3660 schtasks.exe 4244 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4952 oobeldr.exe 4952 oobeldr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe Token: SeDebugPrivilege 3208 oobeldr.exe Token: SeDebugPrivilege 4212 oobeldr.exe Token: SeDebugPrivilege 1568 oobeldr.exe Token: SeDebugPrivilege 4952 oobeldr.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1524 wrote to memory of 4264 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 66 PID 1524 wrote to memory of 4264 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 66 PID 1524 wrote to memory of 4264 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 66 PID 1524 wrote to memory of 4264 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 66 PID 1524 wrote to memory of 4264 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 66 PID 1524 wrote to memory of 4264 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 66 PID 1524 wrote to memory of 4264 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 66 PID 1524 wrote to memory of 4264 1524 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 66 PID 4264 wrote to memory of 3660 4264 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 67 PID 4264 wrote to memory of 3660 4264 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 67 PID 4264 wrote to memory of 3660 4264 556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe 67 PID 3208 wrote to memory of 3832 3208 oobeldr.exe 70 PID 3208 wrote to memory of 3832 3208 oobeldr.exe 70 PID 3208 wrote to memory of 3832 3208 oobeldr.exe 70 PID 3208 wrote to memory of 3832 3208 oobeldr.exe 70 PID 3208 wrote to memory of 3832 3208 oobeldr.exe 70 PID 3208 wrote to memory of 3832 3208 oobeldr.exe 70 PID 3208 wrote to memory of 3832 3208 oobeldr.exe 70 PID 3208 wrote to memory of 3832 3208 oobeldr.exe 70 PID 3832 wrote to memory of 4244 3832 oobeldr.exe 71 PID 3832 wrote to memory of 4244 3832 oobeldr.exe 71 PID 3832 wrote to memory of 4244 3832 oobeldr.exe 71 PID 4212 wrote to memory of 1056 4212 oobeldr.exe 74 PID 4212 wrote to memory of 1056 4212 oobeldr.exe 74 PID 4212 wrote to memory of 1056 4212 oobeldr.exe 74 PID 4212 wrote to memory of 1056 4212 oobeldr.exe 74 PID 4212 wrote to memory of 1056 4212 oobeldr.exe 74 PID 4212 wrote to memory of 1056 4212 oobeldr.exe 74 PID 4212 wrote to memory of 1056 4212 oobeldr.exe 74 PID 4212 wrote to memory of 1056 4212 oobeldr.exe 74 PID 1568 wrote to memory of 2152 1568 oobeldr.exe 76 PID 1568 wrote to memory of 2152 1568 oobeldr.exe 76 PID 1568 wrote to memory of 2152 1568 oobeldr.exe 76 PID 1568 wrote to memory of 2152 1568 oobeldr.exe 76 PID 1568 wrote to memory of 2152 1568 oobeldr.exe 76 PID 1568 wrote to memory of 2152 1568 oobeldr.exe 76 PID 1568 wrote to memory of 2152 1568 oobeldr.exe 76 PID 1568 wrote to memory of 2152 1568 oobeldr.exe 76 PID 4952 wrote to memory of 2840 4952 oobeldr.exe 78 PID 4952 wrote to memory of 2840 4952 oobeldr.exe 78 PID 4952 wrote to memory of 2840 4952 oobeldr.exe 78 PID 4952 wrote to memory of 3580 4952 oobeldr.exe 79 PID 4952 wrote to memory of 3580 4952 oobeldr.exe 79 PID 4952 wrote to memory of 3580 4952 oobeldr.exe 79 PID 4952 wrote to memory of 3580 4952 oobeldr.exe 79 PID 4952 wrote to memory of 3580 4952 oobeldr.exe 79 PID 4952 wrote to memory of 3580 4952 oobeldr.exe 79 PID 4952 wrote to memory of 3580 4952 oobeldr.exe 79 PID 4952 wrote to memory of 3580 4952 oobeldr.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe"C:\Users\Admin\AppData\Local\Temp\556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exeC:\Users\Admin\AppData\Local\Temp\556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:3660
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:4244
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:1056
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:2152
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:3580
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55c01a57bb6376dc958d99ed7a67870ff
SHA1d092c7dfd148ac12b086049d215e6b00bd78628d
SHA256cb8fd245425e915bfc5ff411f26303f7cb4a30ed37f2ea4a2f0a12501aa5f2a4
SHA512e4e3a4b74f8e209573cce58b572c1f71653e6f4df98f98c5a1cecdf76c9ffb91d5e6994c89df41c9f3613a0584301a56ca922ab7497a434e108b28dcd7d33038
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047
-
Filesize
1.2MB
MD5c2e1f7053399c7ef6794899229759d45
SHA18966b43643502130633fcac26eec77bd6597643f
SHA256556200dcfe72c4d0565bebccb09460f894eef54959ab607cbc0e2b55531c7a31
SHA512f0642da957342fcf0cb868efdd5fe53c20bccca5eee04a54e25a1da9acf843ceadc78fa053414c816f02585faae18a6603868dc4594d118dca4129b997f0f047