ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122

General

Target

ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe
Size

322KB
MD5

756b0643cc3bc903185f3e6e9d0088bd
SHA1

cb762343b744668aeede87e83517b2b2ad67f6d4
SHA256

ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122
SHA512

02b5a619ee09efcff9976e94b88452b777db7240e5ed7cc9b3c804f2d17d5797137769d8f1b0ebe840508418144dd9a939b6cf9198e3d357e11097f5f72ed57c
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3760	oobeldr.exe
2716	oobeldr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 3760 set thread context of 2716	3760	oobeldr.exe	73

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3044	schtasks.exe
4932	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 1660 wrote to memory of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 1660 wrote to memory of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 1660 wrote to memory of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 1660 wrote to memory of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 1660 wrote to memory of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 1660 wrote to memory of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 1660 wrote to memory of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 1660 wrote to memory of 4976	1660	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	69
PID 4976 wrote to memory of 3044	4976	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	70
PID 4976 wrote to memory of 3044	4976	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	70
PID 4976 wrote to memory of 3044	4976	ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe	70
PID 3760 wrote to memory of 2716	3760	oobeldr.exe	73
PID 3760 wrote to memory of 2716	3760	oobeldr.exe	73
PID 3760 wrote to memory of 2716	3760	oobeldr.exe	73
PID 3760 wrote to memory of 2716	3760	oobeldr.exe	73
PID 3760 wrote to memory of 2716	3760	oobeldr.exe	73
PID 3760 wrote to memory of 2716	3760	oobeldr.exe	73
PID 3760 wrote to memory of 2716	3760	oobeldr.exe	73
PID 3760 wrote to memory of 2716	3760	oobeldr.exe	73
PID 3760 wrote to memory of 2716	3760	oobeldr.exe	73
PID 2716 wrote to memory of 4932	2716	oobeldr.exe	74
PID 2716 wrote to memory of 4932	2716	oobeldr.exe	74
PID 2716 wrote to memory of 4932	2716	oobeldr.exe	74

C:\Users\Admin\AppData\Local\Temp\ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe
"C:\Users\Admin\AppData\Local\Temp\ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe
  C:\Users\Admin\AppData\Local\Temp\ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3044

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
756b0643cc3bc903185f3e6e9d0088bd

SHA1
cb762343b744668aeede87e83517b2b2ad67f6d4

SHA256
ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122

SHA512
02b5a619ee09efcff9976e94b88452b777db7240e5ed7cc9b3c804f2d17d5797137769d8f1b0ebe840508418144dd9a939b6cf9198e3d357e11097f5f72ed57c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
756b0643cc3bc903185f3e6e9d0088bd

SHA1
cb762343b744668aeede87e83517b2b2ad67f6d4

SHA256
ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122

SHA512
02b5a619ee09efcff9976e94b88452b777db7240e5ed7cc9b3c804f2d17d5797137769d8f1b0ebe840508418144dd9a939b6cf9198e3d357e11097f5f72ed57c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
756b0643cc3bc903185f3e6e9d0088bd

SHA1
cb762343b744668aeede87e83517b2b2ad67f6d4

SHA256
ebc7a922a9207a481faf455e4261feff9e86b1eecb37c27d8f471b82c85ec122

SHA512
02b5a619ee09efcff9976e94b88452b777db7240e5ed7cc9b3c804f2d17d5797137769d8f1b0ebe840508418144dd9a939b6cf9198e3d357e11097f5f72ed57c

Download Submit
memory/1660-6-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/1660-4-0x0000000007E50000-0x0000000007EE2000-memory.dmp

Filesize
584KB

Download
memory/1660-5-0x0000000005990000-0x0000000005996000-memory.dmp

Filesize
24KB

Download
memory/1660-3-0x00000000082B0000-0x00000000087AE000-memory.dmp

Filesize
5.0MB

Download
memory/1660-7-0x00000000080F0000-0x0000000008166000-memory.dmp

Filesize
472KB

Download
memory/1660-8-0x0000000007DD0000-0x0000000007DEE000-memory.dmp

Filesize
120KB

Download
memory/1660-2-0x0000000003250000-0x000000000331C000-memory.dmp

Filesize
816KB

Download
memory/1660-14-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-0-0x0000000000FA0000-0x0000000000FF6000-memory.dmp

Filesize
344KB

Download
memory/1660-1-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-25-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3760-18-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3760-19-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3760-26-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/4976-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4976-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4976-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads