d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/11/2022, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
Size

261KB
MD5

40bacc2a14f96df432eaf6427353a84d
SHA1

725676d96a957828af4f8b8d77ea31a5ddb8082b
SHA256

d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560
SHA512

acca8e6e9c971e4195c0f43e97ff5d37fdd04ede934b904ca3489898f23d869bf1cd56c24917d080b003d13ce2ed319b54789e7ccc90121e24abafcb227bce04
SSDEEP

3072:8Z/S0A2TcuWTnTn43rXCxOoeiJFu/xCGHZMUBjlW7U2xQ8zEOC11jry:uTtm2W4oX0CG+EIvi8zA11H

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1704	fobi.exe
1528	fobi.exe

Deletes itself 1 IoCs

pid	Process
684	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
1704	fobi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	fobi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fobi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Joxi\\fobi.exe"	fobi.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1704 set thread context of 1528	1704	fobi.exe	30

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe
1528	fobi.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 1800 wrote to memory of 908	1800	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	28
PID 908 wrote to memory of 1704	908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	29
PID 908 wrote to memory of 1704	908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	29
PID 908 wrote to memory of 1704	908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	29
PID 908 wrote to memory of 1704	908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	29
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 1704 wrote to memory of 1528	1704	fobi.exe	30
PID 908 wrote to memory of 684	908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	31
PID 908 wrote to memory of 684	908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	31
PID 908 wrote to memory of 684	908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	31
PID 908 wrote to memory of 684	908	d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe	31
PID 1528 wrote to memory of 1128	1528	fobi.exe	17
PID 1528 wrote to memory of 1128	1528	fobi.exe	17
PID 1528 wrote to memory of 1128	1528	fobi.exe	17
PID 1528 wrote to memory of 1128	1528	fobi.exe	17
PID 1528 wrote to memory of 1128	1528	fobi.exe	17
PID 1528 wrote to memory of 1224	1528	fobi.exe	16
PID 1528 wrote to memory of 1224	1528	fobi.exe	16
PID 1528 wrote to memory of 1224	1528	fobi.exe	16
PID 1528 wrote to memory of 1224	1528	fobi.exe	16
PID 1528 wrote to memory of 1224	1528	fobi.exe	16
PID 1528 wrote to memory of 1256	1528	fobi.exe	15
PID 1528 wrote to memory of 1256	1528	fobi.exe	15
PID 1528 wrote to memory of 1256	1528	fobi.exe	15
PID 1528 wrote to memory of 1256	1528	fobi.exe	15
PID 1528 wrote to memory of 1256	1528	fobi.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
  "C:\Users\Admin\AppData\Local\Temp\d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe
    "C:\Users\Admin\AppData\Local\Temp\d0fbae20fae407e408788e2d4867944f20a54ce161b00400d05d0b1f767b6560.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\Joxi\fobi.exe
      "C:\Users\Admin\AppData\Local\Temp\Joxi\fobi.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\Joxi\fobi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Joxi\fobi.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\STA9E00.bat"
      4⤵
      Deletes itself
      PID:684

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Joxi\fobi.exe

Filesize
261KB

MD5
a4c1d59c25cecc660a5449af85e9832b

SHA1
5ad3154a07fa5382e1d247ad254c1a77d8cae570

SHA256
6f07cec0949a3141c7ddb45ac7b00eb23063f8ed257865464692fe50cdb3349c

SHA512
2b8b000330b40d39531a552598ebf972ce9347fbdd5609f1db552c9cadc85df788ba7d7bbf398a046422251855f01b5649446983be27ab903755c6f1cf339f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Joxi\fobi.exe

Filesize
261KB

MD5
a4c1d59c25cecc660a5449af85e9832b

SHA1
5ad3154a07fa5382e1d247ad254c1a77d8cae570

SHA256
6f07cec0949a3141c7ddb45ac7b00eb23063f8ed257865464692fe50cdb3349c

SHA512
2b8b000330b40d39531a552598ebf972ce9347fbdd5609f1db552c9cadc85df788ba7d7bbf398a046422251855f01b5649446983be27ab903755c6f1cf339f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Joxi\fobi.exe

Filesize
261KB

MD5
a4c1d59c25cecc660a5449af85e9832b

SHA1
5ad3154a07fa5382e1d247ad254c1a77d8cae570

SHA256
6f07cec0949a3141c7ddb45ac7b00eb23063f8ed257865464692fe50cdb3349c

SHA512
2b8b000330b40d39531a552598ebf972ce9347fbdd5609f1db552c9cadc85df788ba7d7bbf398a046422251855f01b5649446983be27ab903755c6f1cf339f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\STA9E00.bat

Filesize
282B

MD5
de2c70f94393a3c33a27481742756ffe

SHA1
1a27eb5b362b8c0afd4419d6e6c8e8c8307ac73e

SHA256
0106a68d69b4895422b6da57cfb78b4093701ec64e728fd1ec7f5c0716c66cd3

SHA512
3e7c220ef83965a4570370c255a0ae0bb747df2c14a5970f8e523b9a06965036f3715c5df21f73b0ee72e34a36d6e5aad732ded9ffae5e1235f7ae114d8aa94e

Download Submit
\Users\Admin\AppData\Local\Temp\Joxi\fobi.exe

Filesize
261KB

MD5
a4c1d59c25cecc660a5449af85e9832b

SHA1
5ad3154a07fa5382e1d247ad254c1a77d8cae570

SHA256
6f07cec0949a3141c7ddb45ac7b00eb23063f8ed257865464692fe50cdb3349c

SHA512
2b8b000330b40d39531a552598ebf972ce9347fbdd5609f1db552c9cadc85df788ba7d7bbf398a046422251855f01b5649446983be27ab903755c6f1cf339f06

Download Submit
\Users\Admin\AppData\Local\Temp\Joxi\fobi.exe

Filesize
261KB

MD5
a4c1d59c25cecc660a5449af85e9832b

SHA1
5ad3154a07fa5382e1d247ad254c1a77d8cae570

SHA256
6f07cec0949a3141c7ddb45ac7b00eb23063f8ed257865464692fe50cdb3349c

SHA512
2b8b000330b40d39531a552598ebf972ce9347fbdd5609f1db552c9cadc85df788ba7d7bbf398a046422251855f01b5649446983be27ab903755c6f1cf339f06

Download Submit
memory/908-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-92-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-96-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/1128-97-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/1128-98-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/1128-99-0x0000000001E90000-0x0000000001ED2000-memory.dmp

Filesize
264KB

Download
memory/1224-105-0x0000000001ED0000-0x0000000001F12000-memory.dmp

Filesize
264KB

Download
memory/1224-102-0x0000000001ED0000-0x0000000001F12000-memory.dmp

Filesize
264KB

Download
memory/1224-103-0x0000000001ED0000-0x0000000001F12000-memory.dmp

Filesize
264KB

Download
memory/1224-104-0x0000000001ED0000-0x0000000001F12000-memory.dmp

Filesize
264KB

Download
memory/1256-108-0x00000000029F0000-0x0000000002A32000-memory.dmp

Filesize
264KB

Download
memory/1256-109-0x00000000029F0000-0x0000000002A32000-memory.dmp

Filesize
264KB

Download
memory/1256-110-0x00000000029F0000-0x0000000002A32000-memory.dmp

Filesize
264KB

Download
memory/1256-111-0x00000000029F0000-0x0000000002A32000-memory.dmp

Filesize
264KB

Download
memory/1528-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1528-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1704-88-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1800-67-0x0000000074700000-0x0000000074CAB000-memory.dmp

Filesize
5.7MB

Download