6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73

Analysis

max time kernel
257s
max time network
295s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
14-01-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe
Size

324KB
MD5

d34e21cf5e2cdae88ff3ec4048014f1f
SHA1

f2fd9025fda77aed7bfb5b9d58c02ad33fd5cefe
SHA256

6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73
SHA512

f1441435a3bd134dcfbea1ddbca2e81698612f4de1ac38806cd7dde8e93d3a65f6f2d09b15c634eb33f0bf9c1ea052d39f513872f9a37d4bb36a28ea4b2c50eb
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2136	oobeldr.exe
392	oobeldr.exe
876	oobeldr.exe
2476	oobeldr.exe
3976	oobeldr.exe
4744	oobeldr.exe
2700	oobeldr.exe
3784	oobeldr.exe
3624	oobeldr.exe
4156	oobeldr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2136 set thread context of 392	2136	oobeldr.exe	77
PID 876 set thread context of 2476	876	oobeldr.exe	81
PID 3976 set thread context of 4744	3976	oobeldr.exe	83
PID 2700 set thread context of 3784	2700	oobeldr.exe	85
PID 3624 set thread context of 4156	3624	oobeldr.exe	87

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1112	schtasks.exe
3684	schtasks.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2640 wrote to memory of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2640 wrote to memory of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2640 wrote to memory of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2640 wrote to memory of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2640 wrote to memory of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2640 wrote to memory of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2640 wrote to memory of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2640 wrote to memory of 2032	2640	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 2032 wrote to memory of 3684	2032	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	75
PID 2032 wrote to memory of 3684	2032	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	75
PID 2032 wrote to memory of 3684	2032	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	75
PID 2136 wrote to memory of 392	2136	oobeldr.exe	77
PID 2136 wrote to memory of 392	2136	oobeldr.exe	77
PID 2136 wrote to memory of 392	2136	oobeldr.exe	77
PID 2136 wrote to memory of 392	2136	oobeldr.exe	77
PID 2136 wrote to memory of 392	2136	oobeldr.exe	77
PID 2136 wrote to memory of 392	2136	oobeldr.exe	77
PID 2136 wrote to memory of 392	2136	oobeldr.exe	77
PID 2136 wrote to memory of 392	2136	oobeldr.exe	77
PID 2136 wrote to memory of 392	2136	oobeldr.exe	77
PID 392 wrote to memory of 1112	392	oobeldr.exe	79
PID 392 wrote to memory of 1112	392	oobeldr.exe	79
PID 392 wrote to memory of 1112	392	oobeldr.exe	79
PID 876 wrote to memory of 2476	876	oobeldr.exe	81
PID 876 wrote to memory of 2476	876	oobeldr.exe	81
PID 876 wrote to memory of 2476	876	oobeldr.exe	81
PID 876 wrote to memory of 2476	876	oobeldr.exe	81
PID 876 wrote to memory of 2476	876	oobeldr.exe	81
PID 876 wrote to memory of 2476	876	oobeldr.exe	81
PID 876 wrote to memory of 2476	876	oobeldr.exe	81
PID 876 wrote to memory of 2476	876	oobeldr.exe	81
PID 876 wrote to memory of 2476	876	oobeldr.exe	81
PID 3976 wrote to memory of 4744	3976	oobeldr.exe	83
PID 3976 wrote to memory of 4744	3976	oobeldr.exe	83
PID 3976 wrote to memory of 4744	3976	oobeldr.exe	83
PID 3976 wrote to memory of 4744	3976	oobeldr.exe	83
PID 3976 wrote to memory of 4744	3976	oobeldr.exe	83
PID 3976 wrote to memory of 4744	3976	oobeldr.exe	83
PID 3976 wrote to memory of 4744	3976	oobeldr.exe	83
PID 3976 wrote to memory of 4744	3976	oobeldr.exe	83
PID 3976 wrote to memory of 4744	3976	oobeldr.exe	83
PID 2700 wrote to memory of 3784	2700	oobeldr.exe	85
PID 2700 wrote to memory of 3784	2700	oobeldr.exe	85
PID 2700 wrote to memory of 3784	2700	oobeldr.exe	85
PID 2700 wrote to memory of 3784	2700	oobeldr.exe	85
PID 2700 wrote to memory of 3784	2700	oobeldr.exe	85
PID 2700 wrote to memory of 3784	2700	oobeldr.exe	85
PID 2700 wrote to memory of 3784	2700	oobeldr.exe	85
PID 2700 wrote to memory of 3784	2700	oobeldr.exe	85
PID 2700 wrote to memory of 3784	2700	oobeldr.exe	85
PID 3624 wrote to memory of 4156	3624	oobeldr.exe	87
PID 3624 wrote to memory of 4156	3624	oobeldr.exe	87
PID 3624 wrote to memory of 4156	3624	oobeldr.exe	87
PID 3624 wrote to memory of 4156	3624	oobeldr.exe	87
PID 3624 wrote to memory of 4156	3624	oobeldr.exe	87
PID 3624 wrote to memory of 4156	3624	oobeldr.exe	87
PID 3624 wrote to memory of 4156	3624	oobeldr.exe	87
PID 3624 wrote to memory of 4156	3624	oobeldr.exe	87
PID 3624 wrote to memory of 4156	3624	oobeldr.exe	87

C:\Users\Admin\AppData\Local\Temp\6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe
"C:\Users\Admin\AppData\Local\Temp\6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe
  C:\Users\Admin\AppData\Local\Temp\6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3684

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1112

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2476

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4744

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:3784

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
db5ef8d7c51bad129d9097bf953e4913

SHA1
8439db960aa2d431bf5ec3c37af775b45eb07e06

SHA256
1248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9

SHA512
04572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
324KB

MD5
d34e21cf5e2cdae88ff3ec4048014f1f

SHA1
f2fd9025fda77aed7bfb5b9d58c02ad33fd5cefe

SHA256
6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73

SHA512
f1441435a3bd134dcfbea1ddbca2e81698612f4de1ac38806cd7dde8e93d3a65f6f2d09b15c634eb33f0bf9c1ea052d39f513872f9a37d4bb36a28ea4b2c50eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
71KB

MD5
d426164e471fa573989d7453a60662a8

SHA1
39c3e5a4a6373cf39d62d63ef287a734151fadaa

SHA256
28303276d9e570233a57260a83e2250858adedb38b4b5319761ad88754e4f0bb

SHA512
f8968a9fdaba62bf69e156aa62a10f56c82869fbaab5f3e9c15eff706ef85a87990c598d99530e8cb78a7ebce3292026af7490406d4f60e44ca704e21a2a6cea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
182KB

MD5
b02ba15bfcc2634b20cce57418d93044

SHA1
dc600926110e0f7cfa68494f067c7e7e41b2c892

SHA256
bbd71850ba017809a5000d265a2b597fe4930aa0a3f4e0531ab8781d474a0400

SHA512
847ac8577162a22c11bd38c7d83bc6fab94a0b7f2db94fd986dd8cf9f2f23507630dd2faa684154f6d81fd4b154efb55a5155c1f2e6aa490e15cac325746d8f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
44KB

MD5
3fda74aeeaa113c2efb2f140a8aaed3d

SHA1
c4b3a337a3fd3a1266b98559fe8b8b75b2b45a2c

SHA256
2880c3684c6299d8e1e5f05f394e4e1c5470d22835d607010145512bcf172b98

SHA512
b6e712b67cdfbb295705b60116054ab93606933f22eae52dc6297c50a51f34c05d62170e4631c17b0add35f7d629f49ae832294da068272d76179c45c2baa5eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
185KB

MD5
d1e6d7eaea7bff2ee5f483b06ea6890c

SHA1
5b94dade5ff15a169115bfb2bd94134b5db766bd

SHA256
88ea412b6d006c1808fc80c016cf2fe154a3bec6906d9bc985b55726ab80d69d

SHA512
fc851a4310f63950b694f22acc1e526864bce9478e2097bca03b66dad21cfa6e34e3660f003243dc61f02e5a94f501ac2473c808abdd9870f8d7c08f96a9b12d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
67KB

MD5
ba1d2443709cf6ac8dae1fc844059920

SHA1
0e118793880e446a701deee569cba66cce3555e3

SHA256
e8b5ec007f3f850a1c788c3d1767c6e92771df6d673bb8a87f9f46c594347692

SHA512
8dbdcb7a86209b66eabe3d5a152aba9747a97c92c2806ca9fb7a66543d9ed8bde98940496e216f832dac6141406293fa4bb553d5a6a7247b1fbf51fc37a4454e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
142KB

MD5
c0e5e844b5bffd260ff1c0858370ad76

SHA1
037db60df87e8f99dfc110023dc1c2a151d63f73

SHA256
3f7511e16942142138f71e59c81bf848a2f003989718ae0663909f43a811a15a

SHA512
e4e425327f7b541a513ee72574cc70b3f6466d1ec1c0a18b7665b546dd65dfa59284a13e9f7a01cc07015bf9e7aaa31fadcf5679297d8ba6196d954a277867de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
271KB

MD5
57d64f147572dbfe8a4b954bc098f33c

SHA1
d8d0a29caa4236eb51a6e3735ca63068e692ec9e

SHA256
1d8dace83c61c17bb4690252c80d3076f7d980242f97ad67a151ed8252bd1f5e

SHA512
24e6f76ac27d597fa1452c9102ca8910c3d2707be59c57b1afecb9a60f30dcf58d83f7ec4e7c3fd336a6c0f76bcaa5e63b967934d97d72cc2c179ced89e9b248

Download Submit
memory/876-28-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/876-29-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/876-34-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2032-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2032-14-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2032-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2136-18-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/2136-19-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/2136-25-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-3-0x0000000008000000-0x00000000084FE000-memory.dmp

Filesize
5.0MB

Download
memory/2640-4-0x0000000007BE0000-0x0000000007C72000-memory.dmp

Filesize
584KB

Download
memory/2640-8-0x0000000007B90000-0x0000000007BAE000-memory.dmp

Filesize
120KB

Download
memory/2640-6-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/2640-7-0x0000000007E80000-0x0000000007EF6000-memory.dmp

Filesize
472KB

Download
memory/2640-5-0x0000000007B40000-0x0000000007B46000-memory.dmp

Filesize
24KB

Download
memory/2640-1-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-2-0x0000000007A30000-0x0000000007AFC000-memory.dmp

Filesize
816KB

Download
memory/2640-15-0x0000000073E40000-0x000000007452E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-0-0x0000000000D70000-0x0000000000DC6000-memory.dmp

Filesize
344KB

Download
memory/2700-44-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/2700-45-0x00000000049B0000-0x00000000049C0000-memory.dmp

Filesize
64KB

Download
memory/2700-50-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3624-52-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3624-53-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/3624-58-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3976-42-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/3976-37-0x0000000003190000-0x00000000031A0000-memory.dmp

Filesize
64KB

Download
memory/3976-36-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads