84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

Analysis

max time kernel
278s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13-11-2023 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe
Size

323KB
MD5

3f10188bdedd3ddce2888d9cfa07c0a9
SHA1

453f1572d01af63bce3d7ee8808c83fd9d5bfa23
SHA256

84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f
SHA512

95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2496	oobeldr.exe
3012	oobeldr.exe
328	oobeldr.exe
2840	oobeldr.exe
1088	oobeldr.exe
1668	oobeldr.exe
2844	oobeldr.exe
2332	oobeldr.exe
2356	oobeldr.exe
2852	oobeldr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2496 set thread context of 3012	2496	oobeldr.exe	35
PID 328 set thread context of 2840	328	oobeldr.exe	39
PID 1088 set thread context of 1668	1088	oobeldr.exe	41
PID 2844 set thread context of 2332	2844	oobeldr.exe	43
PID 2356 set thread context of 2852	2356	oobeldr.exe	45

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2712	schtasks.exe
1756	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2236 wrote to memory of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2236 wrote to memory of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2236 wrote to memory of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2236 wrote to memory of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2236 wrote to memory of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2236 wrote to memory of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2236 wrote to memory of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2236 wrote to memory of 2764	2236	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	28
PID 2764 wrote to memory of 2712	2764	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	29
PID 2764 wrote to memory of 2712	2764	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	29
PID 2764 wrote to memory of 2712	2764	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	29
PID 2764 wrote to memory of 2712	2764	84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe	29
PID 2660 wrote to memory of 2496	2660	taskeng.exe	34
PID 2660 wrote to memory of 2496	2660	taskeng.exe	34
PID 2660 wrote to memory of 2496	2660	taskeng.exe	34
PID 2660 wrote to memory of 2496	2660	taskeng.exe	34
PID 2496 wrote to memory of 3012	2496	oobeldr.exe	35
PID 2496 wrote to memory of 3012	2496	oobeldr.exe	35
PID 2496 wrote to memory of 3012	2496	oobeldr.exe	35
PID 2496 wrote to memory of 3012	2496	oobeldr.exe	35
PID 2496 wrote to memory of 3012	2496	oobeldr.exe	35
PID 2496 wrote to memory of 3012	2496	oobeldr.exe	35
PID 2496 wrote to memory of 3012	2496	oobeldr.exe	35
PID 2496 wrote to memory of 3012	2496	oobeldr.exe	35
PID 2496 wrote to memory of 3012	2496	oobeldr.exe	35
PID 3012 wrote to memory of 1756	3012	oobeldr.exe	36
PID 3012 wrote to memory of 1756	3012	oobeldr.exe	36
PID 3012 wrote to memory of 1756	3012	oobeldr.exe	36
PID 3012 wrote to memory of 1756	3012	oobeldr.exe	36
PID 2660 wrote to memory of 328	2660	taskeng.exe	38
PID 2660 wrote to memory of 328	2660	taskeng.exe	38
PID 2660 wrote to memory of 328	2660	taskeng.exe	38
PID 2660 wrote to memory of 328	2660	taskeng.exe	38
PID 328 wrote to memory of 2840	328	oobeldr.exe	39
PID 328 wrote to memory of 2840	328	oobeldr.exe	39
PID 328 wrote to memory of 2840	328	oobeldr.exe	39
PID 328 wrote to memory of 2840	328	oobeldr.exe	39
PID 328 wrote to memory of 2840	328	oobeldr.exe	39
PID 328 wrote to memory of 2840	328	oobeldr.exe	39
PID 328 wrote to memory of 2840	328	oobeldr.exe	39
PID 328 wrote to memory of 2840	328	oobeldr.exe	39
PID 328 wrote to memory of 2840	328	oobeldr.exe	39
PID 2660 wrote to memory of 1088	2660	taskeng.exe	40
PID 2660 wrote to memory of 1088	2660	taskeng.exe	40
PID 2660 wrote to memory of 1088	2660	taskeng.exe	40
PID 2660 wrote to memory of 1088	2660	taskeng.exe	40
PID 1088 wrote to memory of 1668	1088	oobeldr.exe	41
PID 1088 wrote to memory of 1668	1088	oobeldr.exe	41
PID 1088 wrote to memory of 1668	1088	oobeldr.exe	41
PID 1088 wrote to memory of 1668	1088	oobeldr.exe	41
PID 1088 wrote to memory of 1668	1088	oobeldr.exe	41
PID 1088 wrote to memory of 1668	1088	oobeldr.exe	41
PID 1088 wrote to memory of 1668	1088	oobeldr.exe	41
PID 1088 wrote to memory of 1668	1088	oobeldr.exe	41
PID 1088 wrote to memory of 1668	1088	oobeldr.exe	41
PID 2660 wrote to memory of 2844	2660	taskeng.exe	42
PID 2660 wrote to memory of 2844	2660	taskeng.exe	42
PID 2660 wrote to memory of 2844	2660	taskeng.exe	42
PID 2660 wrote to memory of 2844	2660	taskeng.exe	42
PID 2844 wrote to memory of 2332	2844	oobeldr.exe	43
PID 2844 wrote to memory of 2332	2844	oobeldr.exe	43
PID 2844 wrote to memory of 2332	2844	oobeldr.exe	43
PID 2844 wrote to memory of 2332	2844	oobeldr.exe	43

C:\Users\Admin\AppData\Local\Temp\84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe
"C:\Users\Admin\AppData\Local\Temp\84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe
  C:\Users\Admin\AppData\Local\Temp\84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2712

C:\Windows\system32\taskeng.exe
taskeng.exe {E96F0130-1FA8-4B42-9DEF-7660B63E3686} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:1756
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2840
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1668
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2332
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2356
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
323KB

MD5
3f10188bdedd3ddce2888d9cfa07c0a9

SHA1
453f1572d01af63bce3d7ee8808c83fd9d5bfa23

SHA256
84587f4a6c167b90635152c9d9e5b728018687700ef7a04408bce6222f4b9f1f

SHA512
95a0b1e936cab09d1160305129ddf4aa761aa8129d5b71b2193b3db542da1e98ca9b18c5f319c33b110fce86812ec741d8e3f7d5ee48e8df2fa3ac5dc4790d16

Download Submit
memory/328-40-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/328-38-0x0000000000B90000-0x0000000000BE6000-memory.dmp

Filesize
344KB

Download
memory/328-39-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/328-51-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-54-0x00000000020D0000-0x0000000002110000-memory.dmp

Filesize
256KB

Download
memory/1088-65-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-53-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-2-0x0000000006E10000-0x0000000006EDC000-memory.dmp

Filesize
816KB

Download
memory/2236-1-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-20-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-3-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2236-4-0x0000000004890000-0x00000000048D0000-memory.dmp

Filesize
256KB

Download
memory/2236-0-0x0000000000E00000-0x0000000000E56000-memory.dmp

Filesize
344KB

Download
memory/2356-93-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-82-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2356-81-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2496-36-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2496-25-0x00000000009E0000-0x0000000000A20000-memory.dmp

Filesize
256KB

Download
memory/2496-23-0x0000000000B90000-0x0000000000BE6000-memory.dmp

Filesize
344KB

Download
memory/2496-24-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-7-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-5-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-17-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2764-19-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2844-67-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-68-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2844-79-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads