vobfus | d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17

General

Target

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Size

143KB
MD5

6443ead1a14aa075a711fb207d4e52b0
SHA1

843e35adf376be6ca6c9a16fb5025b8176c47d50
SHA256

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17
SHA512

247ec64e023f30bb32752ccb853a3c2d8bccecb6d854db1b92ae3981229387182648f1db5d241e9c85c099db0d78a8e6aac04d99698b45088de2aa38fdb42481
SSDEEP

3072:oNpD5Iaa43WwkjuUUUUUv88AbbbMI8TqjFei7N6xpsz:qFIaa43WpjuUUUUUv88k8ej8iAPc

Score

10^/10

vobfus persistence upx worm

Malware Config

Signatures

Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\9ZOK0LE4KJ3SJ = "C:\\Users\\Admin\\AppData\\Roaming\\5G5HSPCDW7G.exe"	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\9ZOK0LE4KJ3SJ = "C:\\Users\\Admin\\AppData\\Roaming\\5G5HSPCDW7G.exe"	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1400-57-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral1/memory/1400-59-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral1/memory/1400-60-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral1/memory/1400-64-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral1/memory/1400-65-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral1/memory/1400-68-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral1/memory/1400-69-0x0000000000400000-0x000000000054D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9ZOK0LE4KJ3SJ = "C:\\Users\\Admin\\AppData\\Roaming\\5G5HSPCDW7G.exe"	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\9ZOK0LE4KJ3SJ = "C:\\Users\\Admin\\AppData\\Roaming\\5G5HSPCDW7G.exe"	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

description	pid	process	target process
PID 1404 set thread context of 1400	1404	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

pid process

1400 d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

pid process

1400 d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

pid	process
1400	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

pid	process
1400	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

description	pid	process	target process
PID 1404 wrote to memory of 1400	1404	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 1404 wrote to memory of 1400	1404	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 1404 wrote to memory of 1400	1404	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 1404 wrote to memory of 1400	1404	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 1404 wrote to memory of 1400	1404	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 1404 wrote to memory of 1400	1404	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 1404 wrote to memory of 1400	1404	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

C:\Users\Admin\AppData\Local\Temp\d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
"C:\Users\Admin\AppData\Local\Temp\d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
C:\Users\Admin\AppData\Local\Temp\d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-56-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1400-57-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1400-59-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1400-60-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1400-61-0x000000000054BDE0-mapping.dmp

Download
memory/1400-64-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1400-65-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1400-68-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1400-69-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1404-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1404-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1404-63-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads