Analysis
-
max time kernel
254s -
max time network
295s -
platform
windows10-1703_x64 -
resource
win10-20231025-en -
resource tags
arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system -
submitted
13-11-2023 08:19
Static task
static1
Behavioral task
behavioral1
Sample
98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe
Resource
win10-20231025-en
General
-
Target
98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe
-
Size
323KB
-
MD5
48025ebdf733912d9598ce33a86f47ff
-
SHA1
46bbae78f7243b83906f79ae881df1575d44efc2
-
SHA256
98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
-
SHA512
38662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
SSDEEP
6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj
Malware Config
Signatures
-
Executes dropped EXE 10 IoCs
pid Process 4116 oobeldr.exe 912 oobeldr.exe 3476 oobeldr.exe 2100 oobeldr.exe 3624 oobeldr.exe 2204 oobeldr.exe 4376 oobeldr.exe 4144 oobeldr.exe 3336 oobeldr.exe 532 oobeldr.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2292 set thread context of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 4116 set thread context of 912 4116 oobeldr.exe 76 PID 3476 set thread context of 2100 3476 oobeldr.exe 80 PID 3624 set thread context of 2204 3624 oobeldr.exe 82 PID 4376 set thread context of 4144 4376 oobeldr.exe 84 PID 3336 set thread context of 532 3336 oobeldr.exe 86 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4580 schtasks.exe 4620 schtasks.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1156 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 36 PID 2292 wrote to memory of 1156 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 36 PID 2292 wrote to memory of 1156 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 36 PID 2292 wrote to memory of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 2292 wrote to memory of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 2292 wrote to memory of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 2292 wrote to memory of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 2292 wrote to memory of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 2292 wrote to memory of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 2292 wrote to memory of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 2292 wrote to memory of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 2292 wrote to memory of 1764 2292 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 72 PID 1764 wrote to memory of 4580 1764 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 73 PID 1764 wrote to memory of 4580 1764 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 73 PID 1764 wrote to memory of 4580 1764 98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe 73 PID 4116 wrote to memory of 912 4116 oobeldr.exe 76 PID 4116 wrote to memory of 912 4116 oobeldr.exe 76 PID 4116 wrote to memory of 912 4116 oobeldr.exe 76 PID 4116 wrote to memory of 912 4116 oobeldr.exe 76 PID 4116 wrote to memory of 912 4116 oobeldr.exe 76 PID 4116 wrote to memory of 912 4116 oobeldr.exe 76 PID 4116 wrote to memory of 912 4116 oobeldr.exe 76 PID 4116 wrote to memory of 912 4116 oobeldr.exe 76 PID 4116 wrote to memory of 912 4116 oobeldr.exe 76 PID 912 wrote to memory of 4620 912 oobeldr.exe 78 PID 912 wrote to memory of 4620 912 oobeldr.exe 78 PID 912 wrote to memory of 4620 912 oobeldr.exe 78 PID 3476 wrote to memory of 2100 3476 oobeldr.exe 80 PID 3476 wrote to memory of 2100 3476 oobeldr.exe 80 PID 3476 wrote to memory of 2100 3476 oobeldr.exe 80 PID 3476 wrote to memory of 2100 3476 oobeldr.exe 80 PID 3476 wrote to memory of 2100 3476 oobeldr.exe 80 PID 3476 wrote to memory of 2100 3476 oobeldr.exe 80 PID 3476 wrote to memory of 2100 3476 oobeldr.exe 80 PID 3476 wrote to memory of 2100 3476 oobeldr.exe 80 PID 3476 wrote to memory of 2100 3476 oobeldr.exe 80 PID 3624 wrote to memory of 2204 3624 oobeldr.exe 82 PID 3624 wrote to memory of 2204 3624 oobeldr.exe 82 PID 3624 wrote to memory of 2204 3624 oobeldr.exe 82 PID 3624 wrote to memory of 2204 3624 oobeldr.exe 82 PID 3624 wrote to memory of 2204 3624 oobeldr.exe 82 PID 3624 wrote to memory of 2204 3624 oobeldr.exe 82 PID 3624 wrote to memory of 2204 3624 oobeldr.exe 82 PID 3624 wrote to memory of 2204 3624 oobeldr.exe 82 PID 3624 wrote to memory of 2204 3624 oobeldr.exe 82 PID 4376 wrote to memory of 4144 4376 oobeldr.exe 84 PID 4376 wrote to memory of 4144 4376 oobeldr.exe 84 PID 4376 wrote to memory of 4144 4376 oobeldr.exe 84 PID 4376 wrote to memory of 4144 4376 oobeldr.exe 84 PID 4376 wrote to memory of 4144 4376 oobeldr.exe 84 PID 4376 wrote to memory of 4144 4376 oobeldr.exe 84 PID 4376 wrote to memory of 4144 4376 oobeldr.exe 84 PID 4376 wrote to memory of 4144 4376 oobeldr.exe 84 PID 4376 wrote to memory of 4144 4376 oobeldr.exe 84 PID 3336 wrote to memory of 532 3336 oobeldr.exe 86 PID 3336 wrote to memory of 532 3336 oobeldr.exe 86 PID 3336 wrote to memory of 532 3336 oobeldr.exe 86 PID 3336 wrote to memory of 532 3336 oobeldr.exe 86 PID 3336 wrote to memory of 532 3336 oobeldr.exe 86 PID 3336 wrote to memory of 532 3336 oobeldr.exe 86 PID 3336 wrote to memory of 532 3336 oobeldr.exe 86 PID 3336 wrote to memory of 532 3336 oobeldr.exe 86 PID 3336 wrote to memory of 532 3336 oobeldr.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe"C:\Users\Admin\AppData\Local\Temp\98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exeC:\Users\Admin\AppData\Local\Temp\98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe2⤵PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exeC:\Users\Admin\AppData\Local\Temp\98bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:4580
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
PID:4620
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:2100
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:2204
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:4144
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe2⤵
- Executes dropped EXE
PID:532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
789B
MD5db5ef8d7c51bad129d9097bf953e4913
SHA18439db960aa2d431bf5ec3c37af775b45eb07e06
SHA2561248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9
SHA51204572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1
-
Filesize
323KB
MD548025ebdf733912d9598ce33a86f47ff
SHA146bbae78f7243b83906f79ae881df1575d44efc2
SHA25698bfe3e1ebf2ad1b7502ca6ba363d95947e318f66863a59876a03936a5e7cb29
SHA51238662637a37321ef907e70ba2be224620e32c7bb9253e64dcf27067afdfdc280e32a24eebfd1170c5b41a7fc75c50b5970ec01dc2dbda8607394664cb07a42f1