070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427

Analysis

max time kernel
265s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 22:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe
Size

324KB
MD5

40c1b82dac8d43b5ad75b01de0af7b8c
SHA1

245e7c176f8fe6d95c7c31f59c9a17afe193bf9a
SHA256

070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427
SHA512

ec364646705f000402ff1b20a57b0f07e1e45484f472afd3cc393199a4c65ca5bf5b80fef2f9c6875d955337196fb80f7569d82007419c05d98a5d66dd2eaac3
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
1644	oobeldr.exe
2644	oobeldr.exe
2804	oobeldr.exe
2240	oobeldr.exe
1752	oobeldr.exe
1080	oobeldr.exe
1108	oobeldr.exe
2784	oobeldr.exe
1844	oobeldr.exe

Loads dropped DLL 7 IoCs

pid	Process
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1644 set thread context of 2804	1644	oobeldr.exe	36
PID 2240 set thread context of 1752	2240	oobeldr.exe	40
PID 1080 set thread context of 1108	1080	oobeldr.exe	42
PID 2784 set thread context of 1844	2784	oobeldr.exe	44

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	1844	WerFault.exe	44

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2104	schtasks.exe
740	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1424 wrote to memory of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1424 wrote to memory of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1424 wrote to memory of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1424 wrote to memory of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1424 wrote to memory of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1424 wrote to memory of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1424 wrote to memory of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1424 wrote to memory of 1964	1424	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	28
PID 1964 wrote to memory of 2104	1964	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	30
PID 1964 wrote to memory of 2104	1964	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	30
PID 1964 wrote to memory of 2104	1964	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	30
PID 1964 wrote to memory of 2104	1964	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	30
PID 2636 wrote to memory of 1644	2636	taskeng.exe	34
PID 2636 wrote to memory of 1644	2636	taskeng.exe	34
PID 2636 wrote to memory of 1644	2636	taskeng.exe	34
PID 2636 wrote to memory of 1644	2636	taskeng.exe	34
PID 1644 wrote to memory of 2644	1644	oobeldr.exe	35
PID 1644 wrote to memory of 2644	1644	oobeldr.exe	35
PID 1644 wrote to memory of 2644	1644	oobeldr.exe	35
PID 1644 wrote to memory of 2644	1644	oobeldr.exe	35
PID 1644 wrote to memory of 2804	1644	oobeldr.exe	36
PID 1644 wrote to memory of 2804	1644	oobeldr.exe	36
PID 1644 wrote to memory of 2804	1644	oobeldr.exe	36
PID 1644 wrote to memory of 2804	1644	oobeldr.exe	36
PID 1644 wrote to memory of 2804	1644	oobeldr.exe	36
PID 1644 wrote to memory of 2804	1644	oobeldr.exe	36
PID 1644 wrote to memory of 2804	1644	oobeldr.exe	36
PID 1644 wrote to memory of 2804	1644	oobeldr.exe	36
PID 1644 wrote to memory of 2804	1644	oobeldr.exe	36
PID 2804 wrote to memory of 740	2804	oobeldr.exe	37
PID 2804 wrote to memory of 740	2804	oobeldr.exe	37
PID 2804 wrote to memory of 740	2804	oobeldr.exe	37
PID 2804 wrote to memory of 740	2804	oobeldr.exe	37
PID 2636 wrote to memory of 2240	2636	taskeng.exe	39
PID 2636 wrote to memory of 2240	2636	taskeng.exe	39
PID 2636 wrote to memory of 2240	2636	taskeng.exe	39
PID 2636 wrote to memory of 2240	2636	taskeng.exe	39
PID 2240 wrote to memory of 1752	2240	oobeldr.exe	40
PID 2240 wrote to memory of 1752	2240	oobeldr.exe	40
PID 2240 wrote to memory of 1752	2240	oobeldr.exe	40
PID 2240 wrote to memory of 1752	2240	oobeldr.exe	40
PID 2240 wrote to memory of 1752	2240	oobeldr.exe	40
PID 2240 wrote to memory of 1752	2240	oobeldr.exe	40
PID 2240 wrote to memory of 1752	2240	oobeldr.exe	40
PID 2240 wrote to memory of 1752	2240	oobeldr.exe	40
PID 2240 wrote to memory of 1752	2240	oobeldr.exe	40
PID 2636 wrote to memory of 1080	2636	taskeng.exe	41
PID 2636 wrote to memory of 1080	2636	taskeng.exe	41
PID 2636 wrote to memory of 1080	2636	taskeng.exe	41
PID 2636 wrote to memory of 1080	2636	taskeng.exe	41
PID 1080 wrote to memory of 1108	1080	oobeldr.exe	42
PID 1080 wrote to memory of 1108	1080	oobeldr.exe	42
PID 1080 wrote to memory of 1108	1080	oobeldr.exe	42
PID 1080 wrote to memory of 1108	1080	oobeldr.exe	42
PID 1080 wrote to memory of 1108	1080	oobeldr.exe	42
PID 1080 wrote to memory of 1108	1080	oobeldr.exe	42
PID 1080 wrote to memory of 1108	1080	oobeldr.exe	42
PID 1080 wrote to memory of 1108	1080	oobeldr.exe	42
PID 1080 wrote to memory of 1108	1080	oobeldr.exe	42
PID 2636 wrote to memory of 2784	2636	taskeng.exe	43
PID 2636 wrote to memory of 2784	2636	taskeng.exe	43
PID 2636 wrote to memory of 2784	2636	taskeng.exe	43
PID 2636 wrote to memory of 2784	2636	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe
"C:\Users\Admin\AppData\Local\Temp\070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe
  C:\Users\Admin\AppData\Local\Temp\070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2104

C:\Windows\system32\taskeng.exe
taskeng.exe {886E9001-2978-4F6B-AAD5-52DCD9B80E1C} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:740
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1752
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1108
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2784
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 116
      4⤵
      Loads dropped DLL
      Program crash
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
324KB

MD5
40c1b82dac8d43b5ad75b01de0af7b8c

SHA1
245e7c176f8fe6d95c7c31f59c9a17afe193bf9a

SHA256
070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427

SHA512
ec364646705f000402ff1b20a57b0f07e1e45484f472afd3cc393199a4c65ca5bf5b80fef2f9c6875d955337196fb80f7569d82007419c05d98a5d66dd2eaac3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
91KB

MD5
14bda40b2d9de0b05a30c12e7d30589e

SHA1
72462ef9f2cf73e1d26aa89594b4c501a21365e7

SHA256
a78b0343ed49637462a7d9a179cd203cb04921681679661fd1c48ea5500a7291

SHA512
4b53e55e6d64be242336ea703bb28b314cc2d8f42faf6bb55ed9f3ac1f141ca9ef6b4e165a6a28f2a8804d74232c098ed1b5be5edb2dbd31e89e95066d74b11e

Download Submit
memory/1080-55-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/1080-66-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-3-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/1424-4-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/1424-20-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-1-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-2-0x0000000006D00000-0x0000000006DCC000-memory.dmp

Filesize
816KB

Download
memory/1424-0-0x0000000000350000-0x00000000003A6000-memory.dmp

Filesize
344KB

Download
memory/1644-38-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/1644-25-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/1644-24-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/1644-23-0x00000000001E0000-0x0000000000236000-memory.dmp

Filesize
344KB

Download
memory/1964-19-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1964-5-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1964-7-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1964-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1964-17-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1964-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1964-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1964-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2240-53-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-42-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/2240-41-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-40-0x00000000001E0000-0x0000000000236000-memory.dmp

Filesize
344KB

Download
memory/2784-68-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-80-0x0000000074E40000-0x000000007552E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-37-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2804-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads