821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

Analysis

max time kernel
247s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/08/2023, 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe
Size

321KB
MD5

574297289459d1cf2cc3b8ce660fe708
SHA1

ddeb7d61bdb3d927255513958e6895ef50c25ee7
SHA256

821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56
SHA512

d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
2484	oobeldr.exe
536	oobeldr.exe
2540	oobeldr.exe
2340	oobeldr.exe
824	oobeldr.exe
2032	oobeldr.exe
2616	oobeldr.exe
1992	oobeldr.exe
2812	oobeldr.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2484 set thread context of 536	2484	oobeldr.exe	37
PID 2540 set thread context of 2340	2540	oobeldr.exe	41
PID 824 set thread context of 2616	824	oobeldr.exe	44
PID 1992 set thread context of 2812	1992	oobeldr.exe	46

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2988	schtasks.exe
1524	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2112	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	28
PID 2296 wrote to memory of 2112	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	28
PID 2296 wrote to memory of 2112	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	28
PID 2296 wrote to memory of 2112	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	28
PID 2296 wrote to memory of 2844	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	29
PID 2296 wrote to memory of 2844	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	29
PID 2296 wrote to memory of 2844	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	29
PID 2296 wrote to memory of 2844	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	29
PID 2296 wrote to memory of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2296 wrote to memory of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2296 wrote to memory of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2296 wrote to memory of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2296 wrote to memory of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2296 wrote to memory of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2296 wrote to memory of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2296 wrote to memory of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2296 wrote to memory of 2908	2296	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	30
PID 2908 wrote to memory of 2988	2908	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	32
PID 2908 wrote to memory of 2988	2908	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	32
PID 2908 wrote to memory of 2988	2908	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	32
PID 2908 wrote to memory of 2988	2908	821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe	32
PID 2788 wrote to memory of 2484	2788	taskeng.exe	36
PID 2788 wrote to memory of 2484	2788	taskeng.exe	36
PID 2788 wrote to memory of 2484	2788	taskeng.exe	36
PID 2788 wrote to memory of 2484	2788	taskeng.exe	36
PID 2484 wrote to memory of 536	2484	oobeldr.exe	37
PID 2484 wrote to memory of 536	2484	oobeldr.exe	37
PID 2484 wrote to memory of 536	2484	oobeldr.exe	37
PID 2484 wrote to memory of 536	2484	oobeldr.exe	37
PID 2484 wrote to memory of 536	2484	oobeldr.exe	37
PID 2484 wrote to memory of 536	2484	oobeldr.exe	37
PID 2484 wrote to memory of 536	2484	oobeldr.exe	37
PID 2484 wrote to memory of 536	2484	oobeldr.exe	37
PID 2484 wrote to memory of 536	2484	oobeldr.exe	37
PID 536 wrote to memory of 1524	536	oobeldr.exe	38
PID 536 wrote to memory of 1524	536	oobeldr.exe	38
PID 536 wrote to memory of 1524	536	oobeldr.exe	38
PID 536 wrote to memory of 1524	536	oobeldr.exe	38
PID 2788 wrote to memory of 2540	2788	taskeng.exe	40
PID 2788 wrote to memory of 2540	2788	taskeng.exe	40
PID 2788 wrote to memory of 2540	2788	taskeng.exe	40
PID 2788 wrote to memory of 2540	2788	taskeng.exe	40
PID 2540 wrote to memory of 2340	2540	oobeldr.exe	41
PID 2540 wrote to memory of 2340	2540	oobeldr.exe	41
PID 2540 wrote to memory of 2340	2540	oobeldr.exe	41
PID 2540 wrote to memory of 2340	2540	oobeldr.exe	41
PID 2540 wrote to memory of 2340	2540	oobeldr.exe	41
PID 2540 wrote to memory of 2340	2540	oobeldr.exe	41
PID 2540 wrote to memory of 2340	2540	oobeldr.exe	41
PID 2540 wrote to memory of 2340	2540	oobeldr.exe	41
PID 2540 wrote to memory of 2340	2540	oobeldr.exe	41
PID 2788 wrote to memory of 824	2788	taskeng.exe	42
PID 2788 wrote to memory of 824	2788	taskeng.exe	42
PID 2788 wrote to memory of 824	2788	taskeng.exe	42
PID 2788 wrote to memory of 824	2788	taskeng.exe	42
PID 824 wrote to memory of 2032	824	oobeldr.exe	43
PID 824 wrote to memory of 2032	824	oobeldr.exe	43
PID 824 wrote to memory of 2032	824	oobeldr.exe	43
PID 824 wrote to memory of 2032	824	oobeldr.exe	43
PID 824 wrote to memory of 2616	824	oobeldr.exe	44
PID 824 wrote to memory of 2616	824	oobeldr.exe	44
PID 824 wrote to memory of 2616	824	oobeldr.exe	44
PID 824 wrote to memory of 2616	824	oobeldr.exe	44
PID 824 wrote to memory of 2616	824	oobeldr.exe	44

C:\Users\Admin\AppData\Local\Temp\821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe
"C:\Users\Admin\AppData\Local\Temp\821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe
  C:\Users\Admin\AppData\Local\Temp\821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe
  2⤵
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe
  C:\Users\Admin\AppData\Local\Temp\821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe
  2⤵
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe
  C:\Users\Admin\AppData\Local\Temp\821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2988

C:\Windows\system32\taskeng.exe
taskeng.exe {E47E7405-7022-4A10-A583-39FB372565E0} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:1524
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2340
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2032
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2616
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1992
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
321KB

MD5
574297289459d1cf2cc3b8ce660fe708

SHA1
ddeb7d61bdb3d927255513958e6895ef50c25ee7

SHA256
821850dbb168d2c15da6005ed8c729495ea7bdc7877761008d00644536aefb56

SHA512
d1af37d1aead92129809503858499454f8a298f33c6f4e7f9fe07c44b22d16ec349fc12026f054579ef5d6960749b2e941e497af744f2511d643edad563aad66

Download Submit
memory/536-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/824-109-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/824-122-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/1992-124-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/1992-125-0x00000000007D0000-0x0000000000810000-memory.dmp

Filesize
256KB

Download
memory/1992-136-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-74-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2296-76-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-59-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-58-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2296-54-0x0000000000C20000-0x0000000000C76000-memory.dmp

Filesize
344KB

Download
memory/2296-57-0x0000000000320000-0x0000000000326000-memory.dmp

Filesize
24KB

Download
memory/2296-56-0x0000000006E00000-0x0000000006ECC000-memory.dmp

Filesize
816KB

Download
memory/2296-55-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-81-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2484-79-0x0000000000810000-0x0000000000866000-memory.dmp

Filesize
344KB

Download
memory/2484-80-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-92-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-96-0x00000000021B0000-0x00000000021F0000-memory.dmp

Filesize
256KB

Download
memory/2540-107-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-95-0x0000000000810000-0x0000000000866000-memory.dmp

Filesize
344KB

Download
memory/2540-94-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-75-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2908-72-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2908-70-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2908-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2908-66-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2908-64-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2908-62-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2908-60-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads