Analysis Overview
SHA256
7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9
Threat Level: Known bad
The file 7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9 was found to be: Known bad.
Malicious Activity Summary
Vobfus
Adds policy Run key to start application
Adds Run key to start application
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 16:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 16:53
Reported
2021-05-16 04:51
Platform
win7v20210410
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Vobfus
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe
"C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | migsel.com | udp |
| N/A | 95.128.128.129:80 | migsel.com | tcp |
| N/A | 95.128.128.129:80 | migsel.com | tcp |
Files
memory/1200-60-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 16:53
Reported
2021-05-16 04:51
Platform
win10v20210410
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Vobfus
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe" | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe
"C:\Users\Admin\AppData\Local\Temp\7330a4d4e3b4a85418cabd7b97c84717db6286a1ce417c91bd556c95d91f1ff9.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | migsel.com | udp |
| N/A | 95.128.128.129:80 | migsel.com | tcp |
| N/A | 95.128.128.129:80 | migsel.com | tcp |
Files
memory/3400-114-0x0000000000400000-0x0000000000434000-memory.dmp