d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce

Analysis

max time kernel
328s
max time network
319s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe
Size

324KB
MD5

71983974c09a363ad2d923e6b519562c
SHA1

3e98481e38d1b77660605bffef1d8a3b5d9e9de2
SHA256

d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce
SHA512

e2a445edffd0d74843bbbb0af42c3befb44b57dc480492bf44a691bfd25a5c40367936dc48f8d90bdcd8a3ab55397f0ba85fb6ed38c35f600ea6e65b61303a76
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
1280	oobeldr.exe
1964	oobeldr.exe
336	oobeldr.exe
684	oobeldr.exe
992	oobeldr.exe
1316	oobeldr.exe
2232	oobeldr.exe
2132	oobeldr.exe
1676	oobeldr.exe
2968	oobeldr.exe
1332	oobeldr.exe
2412	oobeldr.exe
3004	oobeldr.exe
1564	oobeldr.exe
2908	oobeldr.exe
2648	oobeldr.exe
2672	oobeldr.exe
2244	oobeldr.exe
2164	oobeldr.exe
2852	oobeldr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 1280 set thread context of 2232	1280	oobeldr.exe	39
PID 2132 set thread context of 1676	2132	oobeldr.exe	43
PID 2968 set thread context of 3004	2968	oobeldr.exe	47
PID 1564 set thread context of 2244	1564	oobeldr.exe	52
PID 2164 set thread context of 2852	2164	oobeldr.exe	54

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2976	schtasks.exe
1200	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 2920 wrote to memory of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 2920 wrote to memory of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 2920 wrote to memory of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 2920 wrote to memory of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 2920 wrote to memory of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 2920 wrote to memory of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 2920 wrote to memory of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 2920 wrote to memory of 2732	2920	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	29
PID 2732 wrote to memory of 2976	2732	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	30
PID 2732 wrote to memory of 2976	2732	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	30
PID 2732 wrote to memory of 2976	2732	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	30
PID 2732 wrote to memory of 2976	2732	d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe	30
PID 2536 wrote to memory of 1280	2536	taskeng.exe	33
PID 2536 wrote to memory of 1280	2536	taskeng.exe	33
PID 2536 wrote to memory of 1280	2536	taskeng.exe	33
PID 2536 wrote to memory of 1280	2536	taskeng.exe	33
PID 1280 wrote to memory of 1964	1280	oobeldr.exe	34
PID 1280 wrote to memory of 1964	1280	oobeldr.exe	34
PID 1280 wrote to memory of 1964	1280	oobeldr.exe	34
PID 1280 wrote to memory of 1964	1280	oobeldr.exe	34
PID 1280 wrote to memory of 336	1280	oobeldr.exe	35
PID 1280 wrote to memory of 336	1280	oobeldr.exe	35
PID 1280 wrote to memory of 336	1280	oobeldr.exe	35
PID 1280 wrote to memory of 336	1280	oobeldr.exe	35
PID 1280 wrote to memory of 684	1280	oobeldr.exe	36
PID 1280 wrote to memory of 684	1280	oobeldr.exe	36
PID 1280 wrote to memory of 684	1280	oobeldr.exe	36
PID 1280 wrote to memory of 684	1280	oobeldr.exe	36
PID 1280 wrote to memory of 992	1280	oobeldr.exe	37
PID 1280 wrote to memory of 992	1280	oobeldr.exe	37
PID 1280 wrote to memory of 992	1280	oobeldr.exe	37
PID 1280 wrote to memory of 992	1280	oobeldr.exe	37
PID 1280 wrote to memory of 1316	1280	oobeldr.exe	38
PID 1280 wrote to memory of 1316	1280	oobeldr.exe	38
PID 1280 wrote to memory of 1316	1280	oobeldr.exe	38
PID 1280 wrote to memory of 1316	1280	oobeldr.exe	38
PID 1280 wrote to memory of 2232	1280	oobeldr.exe	39
PID 1280 wrote to memory of 2232	1280	oobeldr.exe	39
PID 1280 wrote to memory of 2232	1280	oobeldr.exe	39
PID 1280 wrote to memory of 2232	1280	oobeldr.exe	39
PID 1280 wrote to memory of 2232	1280	oobeldr.exe	39
PID 1280 wrote to memory of 2232	1280	oobeldr.exe	39
PID 1280 wrote to memory of 2232	1280	oobeldr.exe	39
PID 1280 wrote to memory of 2232	1280	oobeldr.exe	39
PID 1280 wrote to memory of 2232	1280	oobeldr.exe	39
PID 2232 wrote to memory of 1200	2232	oobeldr.exe	40
PID 2232 wrote to memory of 1200	2232	oobeldr.exe	40
PID 2232 wrote to memory of 1200	2232	oobeldr.exe	40
PID 2232 wrote to memory of 1200	2232	oobeldr.exe	40
PID 2536 wrote to memory of 2132	2536	taskeng.exe	42
PID 2536 wrote to memory of 2132	2536	taskeng.exe	42
PID 2536 wrote to memory of 2132	2536	taskeng.exe	42
PID 2536 wrote to memory of 2132	2536	taskeng.exe	42
PID 2132 wrote to memory of 1676	2132	oobeldr.exe	43
PID 2132 wrote to memory of 1676	2132	oobeldr.exe	43
PID 2132 wrote to memory of 1676	2132	oobeldr.exe	43
PID 2132 wrote to memory of 1676	2132	oobeldr.exe	43
PID 2132 wrote to memory of 1676	2132	oobeldr.exe	43
PID 2132 wrote to memory of 1676	2132	oobeldr.exe	43
PID 2132 wrote to memory of 1676	2132	oobeldr.exe	43
PID 2132 wrote to memory of 1676	2132	oobeldr.exe	43
PID 2132 wrote to memory of 1676	2132	oobeldr.exe	43
PID 2536 wrote to memory of 2968	2536	taskeng.exe	44

C:\Users\Admin\AppData\Local\Temp\d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe
"C:\Users\Admin\AppData\Local\Temp\d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe
  C:\Users\Admin\AppData\Local\Temp\d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2976

C:\Windows\system32\taskeng.exe
taskeng.exe {860A219C-4683-4724-BDBE-413913EB9AAB} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:336
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:684
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:992
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1316
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:1200
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1676
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2968
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1332
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:3004
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1564
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2648
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2244
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2164
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
324KB

MD5
71983974c09a363ad2d923e6b519562c

SHA1
3e98481e38d1b77660605bffef1d8a3b5d9e9de2

SHA256
d64308d99047b41fe8b57d52b40c55f76b1797833d15e112f9f42f576497c3ce

SHA512
e2a445edffd0d74843bbbb0af42c3befb44b57dc480492bf44a691bfd25a5c40367936dc48f8d90bdcd8a3ab55397f0ba85fb6ed38c35f600ea6e65b61303a76

Download Submit
memory/1280-37-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1280-21-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/1280-20-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/1280-19-0x0000000000210000-0x0000000000266000-memory.dmp

Filesize
344KB

Download
memory/1564-83-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/1564-69-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-40-0x0000000000210000-0x0000000000266000-memory.dmp

Filesize
344KB

Download
memory/2132-39-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-52-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-41-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download
memory/2164-95-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-85-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-7-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2732-6-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2732-5-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2732-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-8-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2732-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2732-16-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2732-13-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2920-14-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-0-0x0000000000AC0000-0x0000000000B16000-memory.dmp

Filesize
344KB

Download
memory/2920-2-0x0000000004430000-0x00000000044FC000-memory.dmp

Filesize
816KB

Download
memory/2920-1-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-3-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2920-4-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

Filesize
256KB

Download
memory/2968-54-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-66-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads