vobfus | fbc66b75d41324979e33746db3865526f64388a2dc3f8dc50e7fdc1d7bcbd763

Analysis

max time kernel
155s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
15-03-2022 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afbx.exe
Size

240KB
MD5

396ba06fff00da05029c40502778b3fb
SHA1

803b0fbe68ecf2f76a7463125ae1e55b9431924c
SHA256

fbc66b75d41324979e33746db3865526f64388a2dc3f8dc50e7fdc1d7bcbd763
SHA512

c44ed8401091d1a44b8510df83347807041eb6a78864699c4837f295891efa0f972ba5d4c11b587e50fa1917bb38fe6375822899a97b11bb98c37be9d1097153

Score

10^/10

vobfus persistence worm

Malware Config

Signatures

Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

afbx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	afbx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	afbx.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	afbx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	afbx.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

afbx.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	afbx.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	afbx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VLXHCMT5KJ = "C:\\Users\\Admin\\AppData\\Roaming\\AG58FPQON.exe"	afbx.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	afbx.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

afbx.exe

pid process

2824 afbx.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

afbx.exe

pid process

2824 afbx.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

afbx.exe

pid process

2824 afbx.exe
2824 afbx.exe

pid	process
2824	afbx.exe

pid	process
2824	afbx.exe

pid	process
2824	afbx.exe
2824	afbx.exe

C:\Users\Admin\AppData\Local\Temp\afbx.exe
"C:\Users\Admin\AppData\Local\Temp\afbx.exe"
1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:2824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2824-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download