070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427

Analysis

max time kernel
283s
max time network
298s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
31-12-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe
Size

324KB
MD5

40c1b82dac8d43b5ad75b01de0af7b8c
SHA1

245e7c176f8fe6d95c7c31f59c9a17afe193bf9a
SHA256

070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427
SHA512

ec364646705f000402ff1b20a57b0f07e1e45484f472afd3cc393199a4c65ca5bf5b80fef2f9c6875d955337196fb80f7569d82007419c05d98a5d66dd2eaac3
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
4456	oobeldr.exe
4868	oobeldr.exe
4136	oobeldr.exe
3096	oobeldr.exe
1100	oobeldr.exe
4140	oobeldr.exe
4248	oobeldr.exe
4564	oobeldr.exe
2184	oobeldr.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4636 set thread context of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 4456 set thread context of 4868	4456	oobeldr.exe	76
PID 4136 set thread context of 3096	4136	oobeldr.exe	80
PID 1100 set thread context of 4140	1100	oobeldr.exe	82
PID 4248 set thread context of 4564	4248	oobeldr.exe	84

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3016	schtasks.exe
1468	schtasks.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 4636 wrote to memory of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 4636 wrote to memory of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 4636 wrote to memory of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 4636 wrote to memory of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 4636 wrote to memory of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 4636 wrote to memory of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 4636 wrote to memory of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 4636 wrote to memory of 2940	4636	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	72
PID 2940 wrote to memory of 3016	2940	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	73
PID 2940 wrote to memory of 3016	2940	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	73
PID 2940 wrote to memory of 3016	2940	070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe	73
PID 4456 wrote to memory of 4868	4456	oobeldr.exe	76
PID 4456 wrote to memory of 4868	4456	oobeldr.exe	76
PID 4456 wrote to memory of 4868	4456	oobeldr.exe	76
PID 4456 wrote to memory of 4868	4456	oobeldr.exe	76
PID 4456 wrote to memory of 4868	4456	oobeldr.exe	76
PID 4456 wrote to memory of 4868	4456	oobeldr.exe	76
PID 4456 wrote to memory of 4868	4456	oobeldr.exe	76
PID 4456 wrote to memory of 4868	4456	oobeldr.exe	76
PID 4456 wrote to memory of 4868	4456	oobeldr.exe	76
PID 4868 wrote to memory of 1468	4868	oobeldr.exe	77
PID 4868 wrote to memory of 1468	4868	oobeldr.exe	77
PID 4868 wrote to memory of 1468	4868	oobeldr.exe	77
PID 4136 wrote to memory of 3096	4136	oobeldr.exe	80
PID 4136 wrote to memory of 3096	4136	oobeldr.exe	80
PID 4136 wrote to memory of 3096	4136	oobeldr.exe	80
PID 4136 wrote to memory of 3096	4136	oobeldr.exe	80
PID 4136 wrote to memory of 3096	4136	oobeldr.exe	80
PID 4136 wrote to memory of 3096	4136	oobeldr.exe	80
PID 4136 wrote to memory of 3096	4136	oobeldr.exe	80
PID 4136 wrote to memory of 3096	4136	oobeldr.exe	80
PID 4136 wrote to memory of 3096	4136	oobeldr.exe	80
PID 1100 wrote to memory of 4140	1100	oobeldr.exe	82
PID 1100 wrote to memory of 4140	1100	oobeldr.exe	82
PID 1100 wrote to memory of 4140	1100	oobeldr.exe	82
PID 1100 wrote to memory of 4140	1100	oobeldr.exe	82
PID 1100 wrote to memory of 4140	1100	oobeldr.exe	82
PID 1100 wrote to memory of 4140	1100	oobeldr.exe	82
PID 1100 wrote to memory of 4140	1100	oobeldr.exe	82
PID 1100 wrote to memory of 4140	1100	oobeldr.exe	82
PID 1100 wrote to memory of 4140	1100	oobeldr.exe	82
PID 4248 wrote to memory of 4564	4248	oobeldr.exe	84
PID 4248 wrote to memory of 4564	4248	oobeldr.exe	84
PID 4248 wrote to memory of 4564	4248	oobeldr.exe	84
PID 4248 wrote to memory of 4564	4248	oobeldr.exe	84
PID 4248 wrote to memory of 4564	4248	oobeldr.exe	84
PID 4248 wrote to memory of 4564	4248	oobeldr.exe	84
PID 4248 wrote to memory of 4564	4248	oobeldr.exe	84
PID 4248 wrote to memory of 4564	4248	oobeldr.exe	84
PID 4248 wrote to memory of 4564	4248	oobeldr.exe	84

C:\Users\Admin\AppData\Local\Temp\070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe
"C:\Users\Admin\AppData\Local\Temp\070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe
  C:\Users\Admin\AppData\Local\Temp\070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3016

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1468

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3096

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4140

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4564

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
PID:2184
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  PID:4904
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
324KB

MD5
40c1b82dac8d43b5ad75b01de0af7b8c

SHA1
245e7c176f8fe6d95c7c31f59c9a17afe193bf9a

SHA256
070d4739a3d3810e2cc0b495761d04ac4d9a1f508465c1aa8cf901cd257cd427

SHA512
ec364646705f000402ff1b20a57b0f07e1e45484f472afd3cc393199a4c65ca5bf5b80fef2f9c6875d955337196fb80f7569d82007419c05d98a5d66dd2eaac3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
92KB

MD5
5b04c87c73c9d7a7e5e46728539ec7b4

SHA1
81501f05ec66543fc9b0709b97c9a3d2caee2c48

SHA256
68c45b277d09b26022e58a31be2aa85bf4b077e3deb74c6e8492358ffc06b991

SHA512
0e38b204416da4bb96396d56b55ac0f0ab6a1cd6d142de61546a7465c5a99cc40f20658dfab8d4a1e9f3b83c54c519ab05cf8fc5866309fbbb0730ebf6a65304

Download Submit
memory/1100-42-0x0000000073540000-0x0000000073C2E000-memory.dmp

Filesize
6.9MB

Download
memory/1100-36-0x0000000073540000-0x0000000073C2E000-memory.dmp

Filesize
6.9MB

Download
memory/1100-37-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/2184-52-0x0000000073540000-0x0000000073C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-53-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/2184-60-0x0000000073540000-0x0000000073C2E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-13-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2940-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2940-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4136-28-0x0000000073540000-0x0000000073C2E000-memory.dmp

Filesize
6.9MB

Download
memory/4136-34-0x0000000073540000-0x0000000073C2E000-memory.dmp

Filesize
6.9MB

Download
memory/4136-29-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/4248-44-0x0000000073540000-0x0000000073C2E000-memory.dmp

Filesize
6.9MB

Download
memory/4248-45-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/4248-50-0x0000000073540000-0x0000000073C2E000-memory.dmp

Filesize
6.9MB

Download
memory/4456-18-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/4456-25-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/4456-19-0x00000000048C0000-0x00000000048D0000-memory.dmp

Filesize
64KB

Download
memory/4636-0-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/4636-15-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/4636-8-0x0000000005080000-0x000000000509E000-memory.dmp

Filesize
120KB

Download
memory/4636-7-0x0000000007840000-0x00000000078B6000-memory.dmp

Filesize
472KB

Download
memory/4636-6-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4636-5-0x0000000004F20000-0x0000000004F26000-memory.dmp

Filesize
24KB

Download
memory/4636-4-0x00000000075A0000-0x0000000007632000-memory.dmp

Filesize
584KB

Download
memory/4636-3-0x0000000007A00000-0x0000000007EFE000-memory.dmp

Filesize
5.0MB

Download
memory/4636-2-0x0000000007430000-0x00000000074FC000-memory.dmp

Filesize
816KB

Download
memory/4636-1-0x0000000000580000-0x00000000005D6000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads