a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315

Analysis

max time kernel
291s
max time network
296s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
08-01-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
Size

324KB
MD5

85934bdf0c54ce3d93872595cf58cada
SHA1

8ca1628086eafccb4080a73bd706b54cbd9fa6b0
SHA256

a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315
SHA512

1b9871772f0e08a94552a0115faf003ac87adda0f989f7451079cd871e905d633ad4bc9ec2051dbf2aad1e6c9dc6dc29ea5d24f13305eb1685c84c8994158fe1
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3492	oobeldr.exe
3800	oobeldr.exe
4388	oobeldr.exe
3940	oobeldr.exe
4120	oobeldr.exe
1944	oobeldr.exe
4152	oobeldr.exe
2792	oobeldr.exe
208	oobeldr.exe
2172	oobeldr.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 5096 set thread context of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 3492 set thread context of 3800	3492	oobeldr.exe	78
PID 4388 set thread context of 3940	4388	oobeldr.exe	82
PID 4120 set thread context of 4152	4120	oobeldr.exe	85
PID 2792 set thread context of 208	2792	oobeldr.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4988	4152	WerFault.exe	85

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3772	schtasks.exe
4636	schtasks.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 5080	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	16
PID 5096 wrote to memory of 5080	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	16
PID 5096 wrote to memory of 5080	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	16
PID 5096 wrote to memory of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 5096 wrote to memory of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 5096 wrote to memory of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 5096 wrote to memory of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 5096 wrote to memory of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 5096 wrote to memory of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 5096 wrote to memory of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 5096 wrote to memory of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 5096 wrote to memory of 4112	5096	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	74
PID 4112 wrote to memory of 3772	4112	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	76
PID 4112 wrote to memory of 3772	4112	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	76
PID 4112 wrote to memory of 3772	4112	a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe	76
PID 3492 wrote to memory of 3800	3492	oobeldr.exe	78
PID 3492 wrote to memory of 3800	3492	oobeldr.exe	78
PID 3492 wrote to memory of 3800	3492	oobeldr.exe	78
PID 3492 wrote to memory of 3800	3492	oobeldr.exe	78
PID 3492 wrote to memory of 3800	3492	oobeldr.exe	78
PID 3492 wrote to memory of 3800	3492	oobeldr.exe	78
PID 3492 wrote to memory of 3800	3492	oobeldr.exe	78
PID 3492 wrote to memory of 3800	3492	oobeldr.exe	78
PID 3492 wrote to memory of 3800	3492	oobeldr.exe	78
PID 3800 wrote to memory of 4636	3800	oobeldr.exe	80
PID 3800 wrote to memory of 4636	3800	oobeldr.exe	80
PID 3800 wrote to memory of 4636	3800	oobeldr.exe	80
PID 4388 wrote to memory of 3940	4388	oobeldr.exe	82
PID 4388 wrote to memory of 3940	4388	oobeldr.exe	82
PID 4388 wrote to memory of 3940	4388	oobeldr.exe	82
PID 4388 wrote to memory of 3940	4388	oobeldr.exe	82
PID 4388 wrote to memory of 3940	4388	oobeldr.exe	82
PID 4388 wrote to memory of 3940	4388	oobeldr.exe	82
PID 4388 wrote to memory of 3940	4388	oobeldr.exe	82
PID 4388 wrote to memory of 3940	4388	oobeldr.exe	82
PID 4388 wrote to memory of 3940	4388	oobeldr.exe	82
PID 4120 wrote to memory of 1944	4120	oobeldr.exe	84
PID 4120 wrote to memory of 1944	4120	oobeldr.exe	84
PID 4120 wrote to memory of 1944	4120	oobeldr.exe	84
PID 4120 wrote to memory of 4152	4120	oobeldr.exe	85
PID 4120 wrote to memory of 4152	4120	oobeldr.exe	85
PID 4120 wrote to memory of 4152	4120	oobeldr.exe	85
PID 4120 wrote to memory of 4152	4120	oobeldr.exe	85
PID 4120 wrote to memory of 4152	4120	oobeldr.exe	85
PID 4120 wrote to memory of 4152	4120	oobeldr.exe	85
PID 4120 wrote to memory of 4152	4120	oobeldr.exe	85
PID 4120 wrote to memory of 4152	4120	oobeldr.exe	85
PID 4120 wrote to memory of 4152	4120	oobeldr.exe	85
PID 2792 wrote to memory of 208	2792	oobeldr.exe	89
PID 2792 wrote to memory of 208	2792	oobeldr.exe	89
PID 2792 wrote to memory of 208	2792	oobeldr.exe	89
PID 2792 wrote to memory of 208	2792	oobeldr.exe	89
PID 2792 wrote to memory of 208	2792	oobeldr.exe	89
PID 2792 wrote to memory of 208	2792	oobeldr.exe	89
PID 2792 wrote to memory of 208	2792	oobeldr.exe	89
PID 2792 wrote to memory of 208	2792	oobeldr.exe	89
PID 2792 wrote to memory of 208	2792	oobeldr.exe	89

C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
"C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
  C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
  2⤵
  PID:5080
- C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
  C:\Users\Admin\AppData\Local\Temp\a59abee24d946f4d3c1c4fb6d99406c72da09e7cb56e4e404328f5c39a690315.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3772

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4636

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3940

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 152
    3⤵
    - Program crash
    PID:4988

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:208

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
PID:2172
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  PID:4848
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2172-50-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2172-49-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-47-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-42-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/2792-41-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/3492-19-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/3492-18-0x0000000073E30000-0x000000007451E000-memory.dmp

Filesize
6.9MB

Download
memory/3492-25-0x0000000073E30000-0x000000007451E000-memory.dmp

Filesize
6.9MB

Download
memory/4112-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4112-14-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4112-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4120-34-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/4120-35-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/4120-39-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/4388-32-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/4388-28-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/4388-29-0x0000000005730000-0x0000000005740000-memory.dmp

Filesize
64KB

Download
memory/5096-15-0x0000000073E30000-0x000000007451E000-memory.dmp

Filesize
6.9MB

Download
memory/5096-0-0x0000000000100000-0x0000000000156000-memory.dmp

Filesize
344KB

Download
memory/5096-3-0x0000000007460000-0x000000000795E000-memory.dmp

Filesize
5.0MB

Download
memory/5096-8-0x00000000049B0000-0x00000000049CE000-memory.dmp

Filesize
120KB

Download
memory/5096-6-0x00000000072A0000-0x0000000007316000-memory.dmp

Filesize
472KB

Download
memory/5096-7-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/5096-5-0x0000000004960000-0x0000000004966000-memory.dmp

Filesize
24KB

Download
memory/5096-4-0x0000000007000000-0x0000000007092000-memory.dmp

Filesize
584KB

Download
memory/5096-2-0x0000000006E90000-0x0000000006F5C000-memory.dmp

Filesize
816KB

Download
memory/5096-1-0x0000000073E30000-0x000000007451E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads