09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd

Analysis

max time kernel
282s
max time network
300s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
08/01/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe
Size

324KB
MD5

aa14434e6dfc49a9b5531d86a7beeb60
SHA1

31d64b2f4acc8cd23143f9ef4f9bda552b92141f
SHA256

09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd
SHA512

88014359d1223ddb3ae4185a34098e2a40579263b92ea3b6e1c6220ab2393b1c52d306dd617d5ced0916fea4083180a015d79c27ba6430342490b53d57f01243
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
1492	oobeldr.exe
3328	oobeldr.exe
4548	oobeldr.exe
4136	oobeldr.exe
4140	oobeldr.exe
4108	oobeldr.exe
588	oobeldr.exe
596	oobeldr.exe
504	oobeldr.exe
1016	oobeldr.exe
2664	oobeldr.exe
4504	oobeldr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3904 set thread context of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 1492 set thread context of 3328	1492	oobeldr.exe	77
PID 4548 set thread context of 4136	4548	oobeldr.exe	81
PID 4140 set thread context of 588	4140	oobeldr.exe	84
PID 596 set thread context of 1016	596	oobeldr.exe	87
PID 2664 set thread context of 4504	2664	oobeldr.exe	89

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2052	schtasks.exe
4980	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 3904 wrote to memory of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 3904 wrote to memory of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 3904 wrote to memory of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 3904 wrote to memory of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 3904 wrote to memory of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 3904 wrote to memory of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 3904 wrote to memory of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 3904 wrote to memory of 520	3904	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	44
PID 520 wrote to memory of 2052	520	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	74
PID 520 wrote to memory of 2052	520	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	74
PID 520 wrote to memory of 2052	520	09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe	74
PID 1492 wrote to memory of 3328	1492	oobeldr.exe	77
PID 1492 wrote to memory of 3328	1492	oobeldr.exe	77
PID 1492 wrote to memory of 3328	1492	oobeldr.exe	77
PID 1492 wrote to memory of 3328	1492	oobeldr.exe	77
PID 1492 wrote to memory of 3328	1492	oobeldr.exe	77
PID 1492 wrote to memory of 3328	1492	oobeldr.exe	77
PID 1492 wrote to memory of 3328	1492	oobeldr.exe	77
PID 1492 wrote to memory of 3328	1492	oobeldr.exe	77
PID 1492 wrote to memory of 3328	1492	oobeldr.exe	77
PID 3328 wrote to memory of 4980	3328	oobeldr.exe	79
PID 3328 wrote to memory of 4980	3328	oobeldr.exe	79
PID 3328 wrote to memory of 4980	3328	oobeldr.exe	79
PID 4548 wrote to memory of 4136	4548	oobeldr.exe	81
PID 4548 wrote to memory of 4136	4548	oobeldr.exe	81
PID 4548 wrote to memory of 4136	4548	oobeldr.exe	81
PID 4548 wrote to memory of 4136	4548	oobeldr.exe	81
PID 4548 wrote to memory of 4136	4548	oobeldr.exe	81
PID 4548 wrote to memory of 4136	4548	oobeldr.exe	81
PID 4548 wrote to memory of 4136	4548	oobeldr.exe	81
PID 4548 wrote to memory of 4136	4548	oobeldr.exe	81
PID 4548 wrote to memory of 4136	4548	oobeldr.exe	81
PID 4140 wrote to memory of 4108	4140	oobeldr.exe	83
PID 4140 wrote to memory of 4108	4140	oobeldr.exe	83
PID 4140 wrote to memory of 4108	4140	oobeldr.exe	83
PID 4140 wrote to memory of 588	4140	oobeldr.exe	84
PID 4140 wrote to memory of 588	4140	oobeldr.exe	84
PID 4140 wrote to memory of 588	4140	oobeldr.exe	84
PID 4140 wrote to memory of 588	4140	oobeldr.exe	84
PID 4140 wrote to memory of 588	4140	oobeldr.exe	84
PID 4140 wrote to memory of 588	4140	oobeldr.exe	84
PID 4140 wrote to memory of 588	4140	oobeldr.exe	84
PID 4140 wrote to memory of 588	4140	oobeldr.exe	84
PID 4140 wrote to memory of 588	4140	oobeldr.exe	84
PID 596 wrote to memory of 504	596	oobeldr.exe	86
PID 596 wrote to memory of 504	596	oobeldr.exe	86
PID 596 wrote to memory of 504	596	oobeldr.exe	86
PID 596 wrote to memory of 1016	596	oobeldr.exe	87
PID 596 wrote to memory of 1016	596	oobeldr.exe	87
PID 596 wrote to memory of 1016	596	oobeldr.exe	87
PID 596 wrote to memory of 1016	596	oobeldr.exe	87
PID 596 wrote to memory of 1016	596	oobeldr.exe	87
PID 596 wrote to memory of 1016	596	oobeldr.exe	87
PID 596 wrote to memory of 1016	596	oobeldr.exe	87
PID 596 wrote to memory of 1016	596	oobeldr.exe	87
PID 596 wrote to memory of 1016	596	oobeldr.exe	87
PID 2664 wrote to memory of 4504	2664	oobeldr.exe	89
PID 2664 wrote to memory of 4504	2664	oobeldr.exe	89
PID 2664 wrote to memory of 4504	2664	oobeldr.exe	89
PID 2664 wrote to memory of 4504	2664	oobeldr.exe	89
PID 2664 wrote to memory of 4504	2664	oobeldr.exe	89
PID 2664 wrote to memory of 4504	2664	oobeldr.exe	89
PID 2664 wrote to memory of 4504	2664	oobeldr.exe	89

C:\Users\Admin\AppData\Local\Temp\09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe
"C:\Users\Admin\AppData\Local\Temp\09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe
  C:\Users\Admin\AppData\Local\Temp\09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2052

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4980

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4136

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:588

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:596
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:504
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1016

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
db5ef8d7c51bad129d9097bf953e4913

SHA1
8439db960aa2d431bf5ec3c37af775b45eb07e06

SHA256
1248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9

SHA512
04572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
324KB

MD5
aa14434e6dfc49a9b5531d86a7beeb60

SHA1
31d64b2f4acc8cd23143f9ef4f9bda552b92141f

SHA256
09f3d4822ea31b900a2c11d9e365749cd3e64ab9214531f285b7bc0a1539a0dd

SHA512
88014359d1223ddb3ae4185a34098e2a40579263b92ea3b6e1c6220ab2393b1c52d306dd617d5ced0916fea4083180a015d79c27ba6430342490b53d57f01243

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
92KB

MD5
5b04c87c73c9d7a7e5e46728539ec7b4

SHA1
81501f05ec66543fc9b0709b97c9a3d2caee2c48

SHA256
68c45b277d09b26022e58a31be2aa85bf4b077e3deb74c6e8492358ffc06b991

SHA512
0e38b204416da4bb96396d56b55ac0f0ab6a1cd6d142de61546a7465c5a99cc40f20658dfab8d4a1e9f3b83c54c519ab05cf8fc5866309fbbb0730ebf6a65304

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
66KB

MD5
6f91d89b74e04012ced40bf177719cbe

SHA1
918480f65901e53cdd5477151c760c8378650ed7

SHA256
0bf6415c9a70728e5e72c7ae338753f402b09218a082452b55ddb79c5a68c46a

SHA512
69af3b8afbbd1543431a54ea162d7e53a1bc4f91f4bca74f32e967f55f964c5155878b940713336c762a5a52c41209ee5decc18fe6499de12dfaad121d9df5a2

Download Submit
memory/520-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/520-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/520-13-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/596-48-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/596-47-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/596-54-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/1492-25-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/1492-18-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/1492-19-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/2664-56-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-57-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/2664-62-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/3904-8-0x00000000070B0000-0x00000000070CE000-memory.dmp

Filesize
120KB

Download
memory/3904-6-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3904-1-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/3904-0-0x0000000000150000-0x00000000001A6000-memory.dmp

Filesize
344KB

Download
memory/3904-2-0x0000000004A70000-0x0000000004B3C000-memory.dmp

Filesize
816KB

Download
memory/3904-3-0x0000000007560000-0x0000000007A5E000-memory.dmp

Filesize
5.0MB

Download
memory/3904-7-0x00000000073A0000-0x0000000007416000-memory.dmp

Filesize
472KB

Download
memory/3904-15-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/3904-4-0x0000000007100000-0x0000000007192000-memory.dmp

Filesize
584KB

Download
memory/3904-5-0x0000000007060000-0x0000000007066000-memory.dmp

Filesize
24KB

Download
memory/4140-38-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/4140-45-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/4140-39-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4548-36-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download
memory/4548-29-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/4548-28-0x0000000073260000-0x000000007394E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads