79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

Analysis

max time kernel
273s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 22:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe
Size

322KB
MD5

353abe33062bb6bb408def916254e023
SHA1

8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e
SHA256

79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed
SHA512

5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2520	oobeldr.exe
2536	oobeldr.exe
2836	oobeldr.exe
1872	oobeldr.exe
2348	oobeldr.exe
2808	oobeldr.exe
800	oobeldr.exe
1324	oobeldr.exe
1464	oobeldr.exe
2460	oobeldr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2520 set thread context of 2536	2520	oobeldr.exe	33
PID 2836 set thread context of 1872	2836	oobeldr.exe	39
PID 2348 set thread context of 2808	2348	oobeldr.exe	41
PID 800 set thread context of 1324	800	oobeldr.exe	43
PID 1464 set thread context of 2460	1464	oobeldr.exe	45

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2624	schtasks.exe
2532	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2056 wrote to memory of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2056 wrote to memory of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2056 wrote to memory of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2056 wrote to memory of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2056 wrote to memory of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2056 wrote to memory of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2056 wrote to memory of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2056 wrote to memory of 2600	2056	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	28
PID 2600 wrote to memory of 2624	2600	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	29
PID 2600 wrote to memory of 2624	2600	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	29
PID 2600 wrote to memory of 2624	2600	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	29
PID 2600 wrote to memory of 2624	2600	79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe	29
PID 2724 wrote to memory of 2520	2724	taskeng.exe	32
PID 2724 wrote to memory of 2520	2724	taskeng.exe	32
PID 2724 wrote to memory of 2520	2724	taskeng.exe	32
PID 2724 wrote to memory of 2520	2724	taskeng.exe	32
PID 2520 wrote to memory of 2536	2520	oobeldr.exe	33
PID 2520 wrote to memory of 2536	2520	oobeldr.exe	33
PID 2520 wrote to memory of 2536	2520	oobeldr.exe	33
PID 2520 wrote to memory of 2536	2520	oobeldr.exe	33
PID 2520 wrote to memory of 2536	2520	oobeldr.exe	33
PID 2520 wrote to memory of 2536	2520	oobeldr.exe	33
PID 2520 wrote to memory of 2536	2520	oobeldr.exe	33
PID 2520 wrote to memory of 2536	2520	oobeldr.exe	33
PID 2520 wrote to memory of 2536	2520	oobeldr.exe	33
PID 2536 wrote to memory of 2532	2536	oobeldr.exe	34
PID 2536 wrote to memory of 2532	2536	oobeldr.exe	34
PID 2536 wrote to memory of 2532	2536	oobeldr.exe	34
PID 2536 wrote to memory of 2532	2536	oobeldr.exe	34
PID 2724 wrote to memory of 2836	2724	taskeng.exe	38
PID 2724 wrote to memory of 2836	2724	taskeng.exe	38
PID 2724 wrote to memory of 2836	2724	taskeng.exe	38
PID 2724 wrote to memory of 2836	2724	taskeng.exe	38
PID 2836 wrote to memory of 1872	2836	oobeldr.exe	39
PID 2836 wrote to memory of 1872	2836	oobeldr.exe	39
PID 2836 wrote to memory of 1872	2836	oobeldr.exe	39
PID 2836 wrote to memory of 1872	2836	oobeldr.exe	39
PID 2836 wrote to memory of 1872	2836	oobeldr.exe	39
PID 2836 wrote to memory of 1872	2836	oobeldr.exe	39
PID 2836 wrote to memory of 1872	2836	oobeldr.exe	39
PID 2836 wrote to memory of 1872	2836	oobeldr.exe	39
PID 2836 wrote to memory of 1872	2836	oobeldr.exe	39
PID 2724 wrote to memory of 2348	2724	taskeng.exe	40
PID 2724 wrote to memory of 2348	2724	taskeng.exe	40
PID 2724 wrote to memory of 2348	2724	taskeng.exe	40
PID 2724 wrote to memory of 2348	2724	taskeng.exe	40
PID 2348 wrote to memory of 2808	2348	oobeldr.exe	41
PID 2348 wrote to memory of 2808	2348	oobeldr.exe	41
PID 2348 wrote to memory of 2808	2348	oobeldr.exe	41
PID 2348 wrote to memory of 2808	2348	oobeldr.exe	41
PID 2348 wrote to memory of 2808	2348	oobeldr.exe	41
PID 2348 wrote to memory of 2808	2348	oobeldr.exe	41
PID 2348 wrote to memory of 2808	2348	oobeldr.exe	41
PID 2348 wrote to memory of 2808	2348	oobeldr.exe	41
PID 2348 wrote to memory of 2808	2348	oobeldr.exe	41
PID 2724 wrote to memory of 800	2724	taskeng.exe	42
PID 2724 wrote to memory of 800	2724	taskeng.exe	42
PID 2724 wrote to memory of 800	2724	taskeng.exe	42
PID 2724 wrote to memory of 800	2724	taskeng.exe	42
PID 800 wrote to memory of 1324	800	oobeldr.exe	43
PID 800 wrote to memory of 1324	800	oobeldr.exe	43
PID 800 wrote to memory of 1324	800	oobeldr.exe	43
PID 800 wrote to memory of 1324	800	oobeldr.exe	43

C:\Users\Admin\AppData\Local\Temp\79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe
"C:\Users\Admin\AppData\Local\Temp\79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe
  C:\Users\Admin\AppData\Local\Temp\79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2624

C:\Windows\system32\taskeng.exe
taskeng.exe {4C8035AC-2ECE-4AA6-8770-17230FE1E02D} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:2532
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1872
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2808
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1324
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
322KB

MD5
353abe33062bb6bb408def916254e023

SHA1
8d4f8792aff58fe446d5cd78fc8d5b36f0cd677e

SHA256
79913df1161a6e3c7dd5d6f4e38c3baa1acd2c60572725220bc5d0934cdaa4ed

SHA512
5096d0c5d833c165c8a19995cf7973b3b7b42dd06839cff4a993858f553d557ba9a222fd7f18551b6cc7e13828830d5275a0d7a784edcd54e7bc94ba47d9bc37

Download Submit
memory/800-79-0x0000000073A80000-0x000000007416E000-memory.dmp

Filesize
6.9MB

Download
memory/800-68-0x0000000073A80000-0x000000007416E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1464-82-0x0000000004870000-0x00000000048B0000-memory.dmp

Filesize
256KB

Download
memory/1464-81-0x0000000072E00000-0x00000000734EE000-memory.dmp

Filesize
6.9MB

Download
memory/1464-93-0x0000000072E00000-0x00000000734EE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-20-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-4-0x00000000041F0000-0x0000000004230000-memory.dmp

Filesize
256KB

Download
memory/2056-3-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/2056-0-0x0000000000810000-0x0000000000866000-memory.dmp

Filesize
344KB

Download
memory/2056-2-0x00000000048B0000-0x000000000497C000-memory.dmp

Filesize
816KB

Download
memory/2056-1-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2348-65-0x0000000072E00000-0x00000000734EE000-memory.dmp

Filesize
6.9MB

Download
memory/2348-55-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2348-54-0x0000000072E00000-0x00000000734EE000-memory.dmp

Filesize
6.9MB

Download
memory/2520-37-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2520-25-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2520-23-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2520-24-0x0000000000C20000-0x0000000000C76000-memory.dmp

Filesize
344KB

Download
memory/2536-36-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2536-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2600-19-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2600-17-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2600-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2600-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2600-7-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2600-5-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2836-39-0x0000000073A80000-0x000000007416E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-40-0x0000000000C20000-0x0000000000C76000-memory.dmp

Filesize
344KB

Download
memory/2836-51-0x0000000073A80000-0x000000007416E000-memory.dmp

Filesize
6.9MB

Download
memory/2836-41-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads