vobfus | 95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637

General

Target

95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
Size

764KB
MD5

75620fdd5d0f2b9bca53bfb8496e7528
SHA1

09b9d75339adabef72a54a09736e03a69c6f26a6
SHA256

95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637
SHA512

e3cc6684462eabc15e7aba435135737c540c7337fdf1657260981ff1be1b4db13bc260e93c1bc8277fb20aa843105d10d68da76fe76f65c454d033a92aa4f3c9

Score

10^/10

vobfus persistence worm

Malware Config

Signatures

Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe

pid process

3808 95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe

pid process

3808 95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe

pid	process
3808	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
3808	95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe

C:\Users\Admin\AppData\Local\Temp\95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe
"C:\Users\Admin\AppData\Local\Temp\95f527978167cc6a45e4d42ec7852cd31a12d6413523fa573a85b44ec9886637.exe"
1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3808-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads