93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041

Analysis

max time kernel
128s
max time network
260s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
15/07/2023, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe
Size

321KB
MD5

685c427f4139526bdfe98ee53f040dbd
SHA1

f07c84a1a0921de713ee6c7406c335d8ac6a4a80
SHA256

93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041
SHA512

fbf201f5be14c38a8467f4304ce21e7e1472303cd089f078343570e7544a7ee16c4fc2b8e635e385a5344c6cb99d9fcb2e4b8cbcb02578da0a97307f33c80e50
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
828	oobeldr.exe
4640	oobeldr.exe
3644	oobeldr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3244 set thread context of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 828 set thread context of 3644	828	oobeldr.exe	75

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4716	schtasks.exe
4968	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 3244 wrote to memory of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 3244 wrote to memory of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 3244 wrote to memory of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 3244 wrote to memory of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 3244 wrote to memory of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 3244 wrote to memory of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 3244 wrote to memory of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 3244 wrote to memory of 3148	3244	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	70
PID 3148 wrote to memory of 4716	3148	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	71
PID 3148 wrote to memory of 4716	3148	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	71
PID 3148 wrote to memory of 4716	3148	93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe	71
PID 828 wrote to memory of 4640	828	oobeldr.exe	74
PID 828 wrote to memory of 4640	828	oobeldr.exe	74
PID 828 wrote to memory of 4640	828	oobeldr.exe	74
PID 828 wrote to memory of 3644	828	oobeldr.exe	75
PID 828 wrote to memory of 3644	828	oobeldr.exe	75
PID 828 wrote to memory of 3644	828	oobeldr.exe	75
PID 828 wrote to memory of 3644	828	oobeldr.exe	75
PID 828 wrote to memory of 3644	828	oobeldr.exe	75
PID 828 wrote to memory of 3644	828	oobeldr.exe	75
PID 828 wrote to memory of 3644	828	oobeldr.exe	75
PID 828 wrote to memory of 3644	828	oobeldr.exe	75
PID 828 wrote to memory of 3644	828	oobeldr.exe	75
PID 3644 wrote to memory of 4968	3644	oobeldr.exe	76
PID 3644 wrote to memory of 4968	3644	oobeldr.exe	76
PID 3644 wrote to memory of 4968	3644	oobeldr.exe	76

C:\Users\Admin\AppData\Local\Temp\93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe
"C:\Users\Admin\AppData\Local\Temp\93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Local\Temp\93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe
  C:\Users\Admin\AppData\Local\Temp\93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4716

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
685c427f4139526bdfe98ee53f040dbd

SHA1
f07c84a1a0921de713ee6c7406c335d8ac6a4a80

SHA256
93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041

SHA512
fbf201f5be14c38a8467f4304ce21e7e1472303cd089f078343570e7544a7ee16c4fc2b8e635e385a5344c6cb99d9fcb2e4b8cbcb02578da0a97307f33c80e50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
685c427f4139526bdfe98ee53f040dbd

SHA1
f07c84a1a0921de713ee6c7406c335d8ac6a4a80

SHA256
93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041

SHA512
fbf201f5be14c38a8467f4304ce21e7e1472303cd089f078343570e7544a7ee16c4fc2b8e635e385a5344c6cb99d9fcb2e4b8cbcb02578da0a97307f33c80e50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
685c427f4139526bdfe98ee53f040dbd

SHA1
f07c84a1a0921de713ee6c7406c335d8ac6a4a80

SHA256
93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041

SHA512
fbf201f5be14c38a8467f4304ce21e7e1472303cd089f078343570e7544a7ee16c4fc2b8e635e385a5344c6cb99d9fcb2e4b8cbcb02578da0a97307f33c80e50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
685c427f4139526bdfe98ee53f040dbd

SHA1
f07c84a1a0921de713ee6c7406c335d8ac6a4a80

SHA256
93432b4a398d9396c603128827e1091b3411d29f206e993dd055012e892ca041

SHA512
fbf201f5be14c38a8467f4304ce21e7e1472303cd089f078343570e7544a7ee16c4fc2b8e635e385a5344c6cb99d9fcb2e4b8cbcb02578da0a97307f33c80e50

Download Submit
memory/828-147-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/828-139-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/828-138-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/3148-132-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3148-134-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3148-129-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3244-126-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/3244-120-0x0000000000660000-0x00000000006B6000-memory.dmp

Filesize
344KB

Download
memory/3244-135-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/3244-127-0x00000000077B0000-0x0000000007826000-memory.dmp

Filesize
472KB

Download
memory/3244-128-0x0000000004F20000-0x0000000004F3E000-memory.dmp

Filesize
120KB

Download
memory/3244-125-0x0000000001130000-0x0000000001136000-memory.dmp

Filesize
24KB

Download
memory/3244-124-0x0000000007510000-0x00000000075A2000-memory.dmp

Filesize
584KB

Download
memory/3244-123-0x0000000007A10000-0x0000000007F0E000-memory.dmp

Filesize
5.0MB

Download
memory/3244-122-0x0000000007440000-0x000000000750C000-memory.dmp

Filesize
816KB

Download
memory/3244-121-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/3644-146-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads