d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce

Analysis

max time kernel
256s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
08/01/2024, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe
Size

324KB
MD5

8a578155e6f19cfe4171e422d1860004
SHA1

001c9bc38ff64430b77f391f9693242e1a4cfd5e
SHA256

d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce
SHA512

f8f0dcb72ced555331bf625cebd741e99c336be0ecc321604f73eff142f4a8efc3fa9f4dad71cb814593c1dc35cb82f0b0b99c2a2990a49c1ec9693ac7b6a545
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3524	oobeldr.exe
436	oobeldr.exe
5064	oobeldr.exe
2360	oobeldr.exe
4752	oobeldr.exe
4680	oobeldr.exe
1472	oobeldr.exe
2148	oobeldr.exe
2920	oobeldr.exe
2504	oobeldr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 3524 set thread context of 436	3524	oobeldr.exe	78
PID 5064 set thread context of 2360	5064	oobeldr.exe	82
PID 4752 set thread context of 4680	4752	oobeldr.exe	84
PID 1472 set thread context of 2148	1472	oobeldr.exe	86
PID 2920 set thread context of 2504	2920	oobeldr.exe	88

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2496	schtasks.exe
3060	schtasks.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 2156 wrote to memory of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 2156 wrote to memory of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 2156 wrote to memory of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 2156 wrote to memory of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 2156 wrote to memory of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 2156 wrote to memory of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 2156 wrote to memory of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 2156 wrote to memory of 1896	2156	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	19
PID 1896 wrote to memory of 2496	1896	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	76
PID 1896 wrote to memory of 2496	1896	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	76
PID 1896 wrote to memory of 2496	1896	d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe	76
PID 3524 wrote to memory of 436	3524	oobeldr.exe	78
PID 3524 wrote to memory of 436	3524	oobeldr.exe	78
PID 3524 wrote to memory of 436	3524	oobeldr.exe	78
PID 3524 wrote to memory of 436	3524	oobeldr.exe	78
PID 3524 wrote to memory of 436	3524	oobeldr.exe	78
PID 3524 wrote to memory of 436	3524	oobeldr.exe	78
PID 3524 wrote to memory of 436	3524	oobeldr.exe	78
PID 3524 wrote to memory of 436	3524	oobeldr.exe	78
PID 3524 wrote to memory of 436	3524	oobeldr.exe	78
PID 436 wrote to memory of 3060	436	oobeldr.exe	80
PID 436 wrote to memory of 3060	436	oobeldr.exe	80
PID 436 wrote to memory of 3060	436	oobeldr.exe	80
PID 5064 wrote to memory of 2360	5064	oobeldr.exe	82
PID 5064 wrote to memory of 2360	5064	oobeldr.exe	82
PID 5064 wrote to memory of 2360	5064	oobeldr.exe	82
PID 5064 wrote to memory of 2360	5064	oobeldr.exe	82
PID 5064 wrote to memory of 2360	5064	oobeldr.exe	82
PID 5064 wrote to memory of 2360	5064	oobeldr.exe	82
PID 5064 wrote to memory of 2360	5064	oobeldr.exe	82
PID 5064 wrote to memory of 2360	5064	oobeldr.exe	82
PID 5064 wrote to memory of 2360	5064	oobeldr.exe	82
PID 4752 wrote to memory of 4680	4752	oobeldr.exe	84
PID 4752 wrote to memory of 4680	4752	oobeldr.exe	84
PID 4752 wrote to memory of 4680	4752	oobeldr.exe	84
PID 4752 wrote to memory of 4680	4752	oobeldr.exe	84
PID 4752 wrote to memory of 4680	4752	oobeldr.exe	84
PID 4752 wrote to memory of 4680	4752	oobeldr.exe	84
PID 4752 wrote to memory of 4680	4752	oobeldr.exe	84
PID 4752 wrote to memory of 4680	4752	oobeldr.exe	84
PID 4752 wrote to memory of 4680	4752	oobeldr.exe	84
PID 1472 wrote to memory of 2148	1472	oobeldr.exe	86
PID 1472 wrote to memory of 2148	1472	oobeldr.exe	86
PID 1472 wrote to memory of 2148	1472	oobeldr.exe	86
PID 1472 wrote to memory of 2148	1472	oobeldr.exe	86
PID 1472 wrote to memory of 2148	1472	oobeldr.exe	86
PID 1472 wrote to memory of 2148	1472	oobeldr.exe	86
PID 1472 wrote to memory of 2148	1472	oobeldr.exe	86
PID 1472 wrote to memory of 2148	1472	oobeldr.exe	86
PID 1472 wrote to memory of 2148	1472	oobeldr.exe	86
PID 2920 wrote to memory of 2504	2920	oobeldr.exe	88
PID 2920 wrote to memory of 2504	2920	oobeldr.exe	88
PID 2920 wrote to memory of 2504	2920	oobeldr.exe	88
PID 2920 wrote to memory of 2504	2920	oobeldr.exe	88
PID 2920 wrote to memory of 2504	2920	oobeldr.exe	88
PID 2920 wrote to memory of 2504	2920	oobeldr.exe	88
PID 2920 wrote to memory of 2504	2920	oobeldr.exe	88
PID 2920 wrote to memory of 2504	2920	oobeldr.exe	88
PID 2920 wrote to memory of 2504	2920	oobeldr.exe	88

C:\Users\Admin\AppData\Local\Temp\d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe
"C:\Users\Admin\AppData\Local\Temp\d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe
  C:\Users\Admin\AppData\Local\Temp\d8264891f9dfd736ba3bf1e3aadc5ebedd98afc4778ae838ec6a8ded666725ce.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2496

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3060

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2360

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4680

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2148

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
db5ef8d7c51bad129d9097bf953e4913

SHA1
8439db960aa2d431bf5ec3c37af775b45eb07e06

SHA256
1248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9

SHA512
04572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
57KB

MD5
03bc59e2f32dce001fe4d1481570e2b1

SHA1
f16f59a32a7921ab732a8b8e8e5d7bb3a8fe8b77

SHA256
dcc7183a01eb740e710ed5cb4291d5449ef20817da94c8380bf56ce03ea836f8

SHA512
0a13f744496adc3d6db6286c80a000a8176a5b35b9a8812e4d168ddd3a258bc001e91d34822484fabaa4b39ff5d3f2f0e6d1b7b867597303cd9c17e33e4c4114

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
17KB

MD5
e945a6eb92512e119869360ad18d92df

SHA1
cfd6363a1a82d59dea2f80286730f11fab98bd59

SHA256
a8f136291aef2d71c3a96938f20aa87f9de2468a9a3ba355054f55842818e700

SHA512
7b59de6cb438e8bafa8ab3af77c7fffac16a500aa8575e5b02a061eb2d455b8340840b6aa9f4d22de91f4d6054b8848ae67229e637b7d6e54b9c1aaca693a3c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
46KB

MD5
b1272329fbee7376c46faa3062a8bafc

SHA1
8f5138e1f0d1abd93e3ca8a905265128865f97d7

SHA256
c72804e5d3f35bef447a01af273a8b0e84acdfad6eb26df24413575ca96a5f3c

SHA512
4b1dee3a1fa6b9618882f7a987c5f52c11b417334ff2d4b58a3d09127f25eb1aee8993f125826e9de52c4af0a77add3d0e641ea4a9e430a7bb919542031dd97c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
81KB

MD5
f2e22c69839d8342b44553fa929dc760

SHA1
4e0737a720d8f083b2639a6a84f1ce3117e01ebe

SHA256
68be05bb6de8a014fad87376976aad1b0c6a6367a2703f6320cdbfd737db405b

SHA512
12a33e89669343a025fa9029062fb25446b1e93c2ea1b990d53b8d3ad13bd87a82a6efa6711feb76ccfd46d7e1f4ffba6b9bf4a36c7c2cfcfdcae23f80b9ddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
22KB

MD5
5d6e610794fae48afd7efa172d45524a

SHA1
fba9008b5d4624a5bf7e056a3a6a14f6ec89295b

SHA256
5adf2d93c6f6c3dd468237c5f0977b9e747f45e234a5f5a8a0e170e78f23f381

SHA512
7eee6b5435b8b290a76fec7958892ca688b767c300e8339cddfe75be246280ca3f555dca16897092212d1bb096e24662c1607169b5e97f143ad220f0fe8508b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
86KB

MD5
a675ad7c79110bd03674e59caef0f5db

SHA1
2e9617c215840f54439b58b6cdd1daa4fbe099e7

SHA256
c67e38ead9ec51c216efe91018b0b515da33fd32a553da399de472aafeeb227b

SHA512
8ec5e0c19f8ee6e9d1073b415c123554e0caa760bd962c37db28f2c1da5c7be366189f8bbb576814323472660094e3276207c842ee7fe7d4b4aa52b952fd7fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
1KB

MD5
a1fb56a694a456f25d8e0aa092bb3e25

SHA1
d364de1993b4a04b59fced77a6613e2fe2163bd3

SHA256
6515d81e5c76b8e1e2d1610cf061d2de49216e7a8dc5c8a72662aff9b780bb58

SHA512
ceef30f1d693d3a082c17dd36b2ae98b0a82a79580abb87f5de4d504de4099ce066f444a410b95aaa60e8000cf3ca7092c7ab4fbc1a7672194ed7e768e370700

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
49KB

MD5
3f609d28680eac468ffbbda313c92536

SHA1
e6a4367841b4720f492fc29b57a4e902d8102058

SHA256
d1d913cf0c2ace53b4081a04188634bb3435b196ff58c192883dfc71e77259e3

SHA512
9406ce31f747afaafb2af4bb461bfd70ca970f402e6dcff0d4d40f3d260dabbb04084d0c287891fbcaa68fa6e8c96ef2439527830652e6cd4dcaf94042851bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
88KB

MD5
ea02164efd7de05f19973766581e4d98

SHA1
1319fd8c90631ead36208090b9a99c58f1305ca6

SHA256
3ab91caee041a2b76ef3281e9a318f11e35256ee4e2d30b63936424dd8624c51

SHA512
52b5b4cb315d3aa888abdb470ce7708fb31a3c29ee9ac51e5a4a02c1526abbfeba2416797737c36e29f1def8c52b255f28a9793c7385685f51c2b56548bc1ffa

Download Submit
memory/1472-45-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/1472-51-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/1472-46-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/1896-16-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1896-14-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1896-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1896-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2156-8-0x0000000007D60000-0x0000000007D7E000-memory.dmp

Filesize
120KB

Download
memory/2156-2-0x00000000033C0000-0x000000000348C000-memory.dmp

Filesize
816KB

Download
memory/2156-5-0x0000000005980000-0x0000000005986000-memory.dmp

Filesize
24KB

Download
memory/2156-4-0x0000000007DD0000-0x0000000007E62000-memory.dmp

Filesize
584KB

Download
memory/2156-3-0x0000000008230000-0x000000000872E000-memory.dmp

Filesize
5.0MB

Download
memory/2156-1-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-7-0x0000000008070000-0x00000000080E6000-memory.dmp

Filesize
472KB

Download
memory/2156-6-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2156-0-0x0000000000F40000-0x0000000000F96000-memory.dmp

Filesize
344KB

Download
memory/2156-13-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-53-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-54-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/2920-59-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/3524-19-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/3524-26-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/3524-20-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4752-43-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/4752-38-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/4752-37-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/5064-35-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/5064-30-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/5064-29-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads