6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73

Analysis

max time kernel
287s
max time network
311s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
15-01-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe
Size

324KB
MD5

d34e21cf5e2cdae88ff3ec4048014f1f
SHA1

f2fd9025fda77aed7bfb5b9d58c02ad33fd5cefe
SHA256

6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73
SHA512

f1441435a3bd134dcfbea1ddbca2e81698612f4de1ac38806cd7dde8e93d3a65f6f2d09b15c634eb33f0bf9c1ea052d39f513872f9a37d4bb36a28ea4b2c50eb
SSDEEP

6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
3020	oobeldr.exe
436	oobeldr.exe
420	oobeldr.exe
4812	oobeldr.exe
4452	oobeldr.exe
4024	oobeldr.exe
508	oobeldr.exe
4504	oobeldr.exe
2548	oobeldr.exe
2676	oobeldr.exe
4656	oobeldr.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3392 set thread context of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 3020 set thread context of 420	3020	oobeldr.exe	78
PID 4812 set thread context of 4452	4812	oobeldr.exe	82
PID 4024 set thread context of 508	4024	oobeldr.exe	84
PID 4504 set thread context of 2548	4504	oobeldr.exe	86
PID 2676 set thread context of 4656	2676	oobeldr.exe	88

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
604	schtasks.exe
2200	schtasks.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 3392 wrote to memory of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 3392 wrote to memory of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 3392 wrote to memory of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 3392 wrote to memory of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 3392 wrote to memory of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 3392 wrote to memory of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 3392 wrote to memory of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 3392 wrote to memory of 200	3392	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	73
PID 200 wrote to memory of 604	200	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	74
PID 200 wrote to memory of 604	200	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	74
PID 200 wrote to memory of 604	200	6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe	74
PID 3020 wrote to memory of 436	3020	oobeldr.exe	77
PID 3020 wrote to memory of 436	3020	oobeldr.exe	77
PID 3020 wrote to memory of 436	3020	oobeldr.exe	77
PID 3020 wrote to memory of 420	3020	oobeldr.exe	78
PID 3020 wrote to memory of 420	3020	oobeldr.exe	78
PID 3020 wrote to memory of 420	3020	oobeldr.exe	78
PID 3020 wrote to memory of 420	3020	oobeldr.exe	78
PID 3020 wrote to memory of 420	3020	oobeldr.exe	78
PID 3020 wrote to memory of 420	3020	oobeldr.exe	78
PID 3020 wrote to memory of 420	3020	oobeldr.exe	78
PID 3020 wrote to memory of 420	3020	oobeldr.exe	78
PID 3020 wrote to memory of 420	3020	oobeldr.exe	78
PID 420 wrote to memory of 2200	420	oobeldr.exe	79
PID 420 wrote to memory of 2200	420	oobeldr.exe	79
PID 420 wrote to memory of 2200	420	oobeldr.exe	79
PID 4812 wrote to memory of 4452	4812	oobeldr.exe	82
PID 4812 wrote to memory of 4452	4812	oobeldr.exe	82
PID 4812 wrote to memory of 4452	4812	oobeldr.exe	82
PID 4812 wrote to memory of 4452	4812	oobeldr.exe	82
PID 4812 wrote to memory of 4452	4812	oobeldr.exe	82
PID 4812 wrote to memory of 4452	4812	oobeldr.exe	82
PID 4812 wrote to memory of 4452	4812	oobeldr.exe	82
PID 4812 wrote to memory of 4452	4812	oobeldr.exe	82
PID 4812 wrote to memory of 4452	4812	oobeldr.exe	82
PID 4024 wrote to memory of 508	4024	oobeldr.exe	84
PID 4024 wrote to memory of 508	4024	oobeldr.exe	84
PID 4024 wrote to memory of 508	4024	oobeldr.exe	84
PID 4024 wrote to memory of 508	4024	oobeldr.exe	84
PID 4024 wrote to memory of 508	4024	oobeldr.exe	84
PID 4024 wrote to memory of 508	4024	oobeldr.exe	84
PID 4024 wrote to memory of 508	4024	oobeldr.exe	84
PID 4024 wrote to memory of 508	4024	oobeldr.exe	84
PID 4024 wrote to memory of 508	4024	oobeldr.exe	84
PID 4504 wrote to memory of 2548	4504	oobeldr.exe	86
PID 4504 wrote to memory of 2548	4504	oobeldr.exe	86
PID 4504 wrote to memory of 2548	4504	oobeldr.exe	86
PID 4504 wrote to memory of 2548	4504	oobeldr.exe	86
PID 4504 wrote to memory of 2548	4504	oobeldr.exe	86
PID 4504 wrote to memory of 2548	4504	oobeldr.exe	86
PID 4504 wrote to memory of 2548	4504	oobeldr.exe	86
PID 4504 wrote to memory of 2548	4504	oobeldr.exe	86
PID 4504 wrote to memory of 2548	4504	oobeldr.exe	86
PID 2676 wrote to memory of 4656	2676	oobeldr.exe	88
PID 2676 wrote to memory of 4656	2676	oobeldr.exe	88
PID 2676 wrote to memory of 4656	2676	oobeldr.exe	88
PID 2676 wrote to memory of 4656	2676	oobeldr.exe	88
PID 2676 wrote to memory of 4656	2676	oobeldr.exe	88
PID 2676 wrote to memory of 4656	2676	oobeldr.exe	88
PID 2676 wrote to memory of 4656	2676	oobeldr.exe	88
PID 2676 wrote to memory of 4656	2676	oobeldr.exe	88
PID 2676 wrote to memory of 4656	2676	oobeldr.exe	88

C:\Users\Admin\AppData\Local\Temp\6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe
"C:\Users\Admin\AppData\Local\Temp\6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe
  C:\Users\Admin\AppData\Local\Temp\6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:604

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2200

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4452

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:508

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:2548

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
  2⤵
  - Executes dropped EXE
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log

Filesize
789B

MD5
db5ef8d7c51bad129d9097bf953e4913

SHA1
8439db960aa2d431bf5ec3c37af775b45eb07e06

SHA256
1248e67f10b47b397af3c8cbe342bad4be75c68b8e10f4ec6341195cc3138bd9

SHA512
04572485790b25e1751347e43b47174051cd153dd75fd55ee5590d25a2579f344cd96cf86cf45bdb7759e3e6d0f734d0ff717148ca70f501b9869e964e036fee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe

Filesize
324KB

MD5
d34e21cf5e2cdae88ff3ec4048014f1f

SHA1
f2fd9025fda77aed7bfb5b9d58c02ad33fd5cefe

SHA256
6e2fc10f3f8c465979d095d25b2c2255917cbcc3f42878a0add10127a581ae73

SHA512
f1441435a3bd134dcfbea1ddbca2e81698612f4de1ac38806cd7dde8e93d3a65f6f2d09b15c634eb33f0bf9c1ea052d39f513872f9a37d4bb36a28ea4b2c50eb

Download Submit
memory/200-14-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/200-9-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/200-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2676-59-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2676-54-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2676-53-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download
memory/3020-26-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-19-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/3020-18-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/3392-7-0x0000000007F60000-0x0000000007FD6000-memory.dmp

Filesize
472KB

Download
memory/3392-15-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/3392-8-0x0000000005670000-0x000000000568E000-memory.dmp

Filesize
120KB

Download
memory/3392-0-0x0000000000C80000-0x0000000000CD6000-memory.dmp

Filesize
344KB

Download
memory/3392-6-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/3392-5-0x0000000005620000-0x0000000005626000-memory.dmp

Filesize
24KB

Download
memory/3392-4-0x0000000007CC0000-0x0000000007D52000-memory.dmp

Filesize
584KB

Download
memory/3392-1-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/3392-2-0x0000000007B50000-0x0000000007C1C000-memory.dmp

Filesize
816KB

Download
memory/3392-3-0x0000000008120000-0x000000000861E000-memory.dmp

Filesize
5.0MB

Download
memory/4024-37-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download
memory/4024-38-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/4024-43-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download
memory/4504-45-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download
memory/4504-46-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/4504-51-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download
memory/4812-35-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download
memory/4812-30-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/4812-29-0x0000000073410000-0x0000000073AFE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads