vobfus | e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca

General

Target

e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
Size

445KB
MD5

b90200f4c155dae5f6460839fe6917fa
SHA1

c0bcdc5429dcb3a07400884f73dfe3da3e679198
SHA256

e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca
SHA512

adfdf8c6a8056109bf781a9973c370c26c3f5ba7a84326d0baa96da5a738133a549187817db859d3c9aa075bc934fd5ff59720957160d4db52dec85e26d1e79a

Score

10^/10

vobfus persistence worm

Malware Config

Signatures

Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe

pid process

1072 e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe

pid process

1072 e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe

pid	process
1072	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
1072	e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe

C:\Users\Admin\AppData\Local\Temp\e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe
"C:\Users\Admin\AppData\Local\Temp\e6817b5b8eeb25f67072d405df7b5955cd69f77b9d64688a86cfcfd235c0c8ca.exe"
1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads