a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315

Analysis

max time kernel
297s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
Size

324KB
MD5

85934bdf0c54ce3d93872595cf58cada
SHA1

8ca1628086eafccb4080a73bd706b54cbd9fa6b0
SHA256

a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315
SHA512

1b9871772f0e08a94552a0115faf003ac87adda0f989f7451079cd871e905d633ad4bc9ec2051dbf2aad1e6c9dc6dc29ea5d24f13305eb1685c84c8994158fe1
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2996	oobeldr.exe
1976	oobeldr.exe
2628	oobeldr.exe
2308	oobeldr.exe
1092	oobeldr.exe
1992	oobeldr.exe
1812	oobeldr.exe
1624	oobeldr.exe
2880	oobeldr.exe
280	oobeldr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 2996 set thread context of 1976	2996	oobeldr.exe	35
PID 2628 set thread context of 2308	2628	oobeldr.exe	39
PID 1092 set thread context of 1992	1092	oobeldr.exe	41
PID 1812 set thread context of 1624	1812	oobeldr.exe	43
PID 2880 set thread context of 280	2880	oobeldr.exe	45

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2844	schtasks.exe
2868	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 1720 wrote to memory of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 1720 wrote to memory of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 1720 wrote to memory of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 1720 wrote to memory of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 1720 wrote to memory of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 1720 wrote to memory of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 1720 wrote to memory of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 1720 wrote to memory of 2088	1720	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	28
PID 2088 wrote to memory of 2844	2088	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	29
PID 2088 wrote to memory of 2844	2088	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	29
PID 2088 wrote to memory of 2844	2088	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	29
PID 2088 wrote to memory of 2844	2088	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	29
PID 2600 wrote to memory of 2996	2600	taskeng.exe	34
PID 2600 wrote to memory of 2996	2600	taskeng.exe	34
PID 2600 wrote to memory of 2996	2600	taskeng.exe	34
PID 2600 wrote to memory of 2996	2600	taskeng.exe	34
PID 2996 wrote to memory of 1976	2996	oobeldr.exe	35
PID 2996 wrote to memory of 1976	2996	oobeldr.exe	35
PID 2996 wrote to memory of 1976	2996	oobeldr.exe	35
PID 2996 wrote to memory of 1976	2996	oobeldr.exe	35
PID 2996 wrote to memory of 1976	2996	oobeldr.exe	35
PID 2996 wrote to memory of 1976	2996	oobeldr.exe	35
PID 2996 wrote to memory of 1976	2996	oobeldr.exe	35
PID 2996 wrote to memory of 1976	2996	oobeldr.exe	35
PID 2996 wrote to memory of 1976	2996	oobeldr.exe	35
PID 1976 wrote to memory of 2868	1976	oobeldr.exe	36
PID 1976 wrote to memory of 2868	1976	oobeldr.exe	36
PID 1976 wrote to memory of 2868	1976	oobeldr.exe	36
PID 1976 wrote to memory of 2868	1976	oobeldr.exe	36
PID 2600 wrote to memory of 2628	2600	taskeng.exe	38
PID 2600 wrote to memory of 2628	2600	taskeng.exe	38
PID 2600 wrote to memory of 2628	2600	taskeng.exe	38
PID 2600 wrote to memory of 2628	2600	taskeng.exe	38
PID 2628 wrote to memory of 2308	2628	oobeldr.exe	39
PID 2628 wrote to memory of 2308	2628	oobeldr.exe	39
PID 2628 wrote to memory of 2308	2628	oobeldr.exe	39
PID 2628 wrote to memory of 2308	2628	oobeldr.exe	39
PID 2628 wrote to memory of 2308	2628	oobeldr.exe	39
PID 2628 wrote to memory of 2308	2628	oobeldr.exe	39
PID 2628 wrote to memory of 2308	2628	oobeldr.exe	39
PID 2628 wrote to memory of 2308	2628	oobeldr.exe	39
PID 2628 wrote to memory of 2308	2628	oobeldr.exe	39
PID 2600 wrote to memory of 1092	2600	taskeng.exe	40
PID 2600 wrote to memory of 1092	2600	taskeng.exe	40
PID 2600 wrote to memory of 1092	2600	taskeng.exe	40
PID 2600 wrote to memory of 1092	2600	taskeng.exe	40
PID 1092 wrote to memory of 1992	1092	oobeldr.exe	41
PID 1092 wrote to memory of 1992	1092	oobeldr.exe	41
PID 1092 wrote to memory of 1992	1092	oobeldr.exe	41
PID 1092 wrote to memory of 1992	1092	oobeldr.exe	41
PID 1092 wrote to memory of 1992	1092	oobeldr.exe	41
PID 1092 wrote to memory of 1992	1092	oobeldr.exe	41
PID 1092 wrote to memory of 1992	1092	oobeldr.exe	41
PID 1092 wrote to memory of 1992	1092	oobeldr.exe	41
PID 1092 wrote to memory of 1992	1092	oobeldr.exe	41
PID 2600 wrote to memory of 1812	2600	taskeng.exe	42
PID 2600 wrote to memory of 1812	2600	taskeng.exe	42
PID 2600 wrote to memory of 1812	2600	taskeng.exe	42
PID 2600 wrote to memory of 1812	2600	taskeng.exe	42
PID 1812 wrote to memory of 1624	1812	oobeldr.exe	43
PID 1812 wrote to memory of 1624	1812	oobeldr.exe	43
PID 1812 wrote to memory of 1624	1812	oobeldr.exe	43
PID 1812 wrote to memory of 1624	1812	oobeldr.exe	43

C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
"C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
  C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2844

C:\Windows\system32\taskeng.exe
taskeng.exe {D1CF69EA-C659-40AA-AAEC-52FFE69A8B40} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:2868
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:2308
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1992
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:1624
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2880
- - C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    3⤵
    - Executes dropped EXE
    PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
324KB

MD5
85934bdf0c54ce3d93872595cf58cada

SHA1
8ca1628086eafccb4080a73bd706b54cbd9fa6b0

SHA256
a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315

SHA512
1b9871772f0e08a94552a0115faf003ac87adda0f989f7451079cd871e905d633ad4bc9ec2051dbf2aad1e6c9dc6dc29ea5d24f13305eb1685c84c8994158fe1

Download Submit
memory/1092-65-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1092-49-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1092-50-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1720-3-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1720-0-0x0000000000020000-0x0000000000076000-memory.dmp

Filesize
344KB

Download
memory/1720-4-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/1720-16-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-2-0x00000000047E0000-0x00000000048AC000-memory.dmp

Filesize
816KB

Download
memory/1720-1-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/1812-82-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/1812-67-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/1976-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-7-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2088-8-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2088-5-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2088-6-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2088-15-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2088-13-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2088-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2628-35-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-36-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download
memory/2628-47-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-34-0x0000000001330000-0x0000000001386000-memory.dmp

Filesize
344KB

Download
memory/2880-84-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2880-99-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-32-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-21-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/2996-20-0x0000000001330000-0x0000000001386000-memory.dmp

Filesize
344KB

Download
memory/2996-19-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads