fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

Analysis

max time kernel
278s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02/08/2023, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe
Size

321KB
MD5

37b028f38402f059f1505461da4a6c0f
SHA1

f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a
SHA256

fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86
SHA512

2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2856	oobeldr.exe
2932	oobeldr.exe
2884	oobeldr.exe
2724	oobeldr.exe
1692	oobeldr.exe
1812	oobeldr.exe
1376	oobeldr.exe
1984	oobeldr.exe
3040	oobeldr.exe
3032	oobeldr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 832 set thread context of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 2856 set thread context of 2932	2856	oobeldr.exe	35
PID 2884 set thread context of 2724	2884	oobeldr.exe	39
PID 1692 set thread context of 1812	1692	oobeldr.exe	41
PID 1376 set thread context of 1984	1376	oobeldr.exe	43
PID 3040 set thread context of 3032	3040	oobeldr.exe	45

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2232	schtasks.exe
2952	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 832 wrote to memory of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 832 wrote to memory of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 832 wrote to memory of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 832 wrote to memory of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 832 wrote to memory of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 832 wrote to memory of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 832 wrote to memory of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 832 wrote to memory of 2408	832	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	28
PID 2408 wrote to memory of 2232	2408	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	30
PID 2408 wrote to memory of 2232	2408	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	30
PID 2408 wrote to memory of 2232	2408	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	30
PID 2408 wrote to memory of 2232	2408	fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe	30
PID 2056 wrote to memory of 2856	2056	taskeng.exe	34
PID 2056 wrote to memory of 2856	2056	taskeng.exe	34
PID 2056 wrote to memory of 2856	2056	taskeng.exe	34
PID 2056 wrote to memory of 2856	2056	taskeng.exe	34
PID 2856 wrote to memory of 2932	2856	oobeldr.exe	35
PID 2856 wrote to memory of 2932	2856	oobeldr.exe	35
PID 2856 wrote to memory of 2932	2856	oobeldr.exe	35
PID 2856 wrote to memory of 2932	2856	oobeldr.exe	35
PID 2856 wrote to memory of 2932	2856	oobeldr.exe	35
PID 2856 wrote to memory of 2932	2856	oobeldr.exe	35
PID 2856 wrote to memory of 2932	2856	oobeldr.exe	35
PID 2856 wrote to memory of 2932	2856	oobeldr.exe	35
PID 2856 wrote to memory of 2932	2856	oobeldr.exe	35
PID 2932 wrote to memory of 2952	2932	oobeldr.exe	37
PID 2932 wrote to memory of 2952	2932	oobeldr.exe	37
PID 2932 wrote to memory of 2952	2932	oobeldr.exe	37
PID 2932 wrote to memory of 2952	2932	oobeldr.exe	37
PID 2056 wrote to memory of 2884	2056	taskeng.exe	38
PID 2056 wrote to memory of 2884	2056	taskeng.exe	38
PID 2056 wrote to memory of 2884	2056	taskeng.exe	38
PID 2056 wrote to memory of 2884	2056	taskeng.exe	38
PID 2884 wrote to memory of 2724	2884	oobeldr.exe	39
PID 2884 wrote to memory of 2724	2884	oobeldr.exe	39
PID 2884 wrote to memory of 2724	2884	oobeldr.exe	39
PID 2884 wrote to memory of 2724	2884	oobeldr.exe	39
PID 2884 wrote to memory of 2724	2884	oobeldr.exe	39
PID 2884 wrote to memory of 2724	2884	oobeldr.exe	39
PID 2884 wrote to memory of 2724	2884	oobeldr.exe	39
PID 2884 wrote to memory of 2724	2884	oobeldr.exe	39
PID 2884 wrote to memory of 2724	2884	oobeldr.exe	39
PID 2056 wrote to memory of 1692	2056	taskeng.exe	40
PID 2056 wrote to memory of 1692	2056	taskeng.exe	40
PID 2056 wrote to memory of 1692	2056	taskeng.exe	40
PID 2056 wrote to memory of 1692	2056	taskeng.exe	40
PID 1692 wrote to memory of 1812	1692	oobeldr.exe	41
PID 1692 wrote to memory of 1812	1692	oobeldr.exe	41
PID 1692 wrote to memory of 1812	1692	oobeldr.exe	41
PID 1692 wrote to memory of 1812	1692	oobeldr.exe	41
PID 1692 wrote to memory of 1812	1692	oobeldr.exe	41
PID 1692 wrote to memory of 1812	1692	oobeldr.exe	41
PID 1692 wrote to memory of 1812	1692	oobeldr.exe	41
PID 1692 wrote to memory of 1812	1692	oobeldr.exe	41
PID 1692 wrote to memory of 1812	1692	oobeldr.exe	41
PID 2056 wrote to memory of 1376	2056	taskeng.exe	42
PID 2056 wrote to memory of 1376	2056	taskeng.exe	42
PID 2056 wrote to memory of 1376	2056	taskeng.exe	42
PID 2056 wrote to memory of 1376	2056	taskeng.exe	42
PID 1376 wrote to memory of 1984	1376	oobeldr.exe	43
PID 1376 wrote to memory of 1984	1376	oobeldr.exe	43
PID 1376 wrote to memory of 1984	1376	oobeldr.exe	43
PID 1376 wrote to memory of 1984	1376	oobeldr.exe	43

C:\Users\Admin\AppData\Local\Temp\fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe
"C:\Users\Admin\AppData\Local\Temp\fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe
  C:\Users\Admin\AppData\Local\Temp\fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2232

C:\Windows\system32\taskeng.exe
taskeng.exe {E8F97B7E-7A96-4913-B929-117FCF975A53} S-1-5-21-1014134971-2480516131-292343513-1000:NYBYVYTJ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:2952
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2724
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1812
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1984
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3040
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
37b028f38402f059f1505461da4a6c0f

SHA1
f09af09e89c3ae71cbf5e1e96c1fce2c27d1d48a

SHA256
fe245499caaa26dea649fde3514e65f623103badfa3d03f5ffbcd5d4fc0f1b86

SHA512
2447f48b638299714cdbbab4338da9dded1acdc96936ce469be4a0f32c230726d6772ef36d8fce8454af2ffec1482095ce0f12ed44784590d59a951add57e9b8

Download Submit
memory/832-56-0x00000000047E0000-0x00000000048AC000-memory.dmp

Filesize
816KB

Download
memory/832-58-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/832-57-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/832-70-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/832-54-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/832-55-0x0000000000120000-0x0000000000176000-memory.dmp

Filesize
344KB

Download
memory/1376-116-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/1376-128-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-114-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-103-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/1984-127-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2408-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2408-67-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2408-65-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2408-59-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2408-60-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2408-61-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2408-62-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2408-69-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2856-73-0x0000000000AF0000-0x0000000000B46000-memory.dmp

Filesize
344KB

Download
memory/2856-86-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/2856-75-0x0000000004860000-0x00000000048A0000-memory.dmp

Filesize
256KB

Download
memory/2856-74-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-101-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-90-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/2884-89-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-88-0x0000000000AF0000-0x0000000000B46000-memory.dmp

Filesize
344KB

Download
memory/2932-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-130-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-142-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads