vobfus | d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17

General

Target

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Size

143KB
MD5

6443ead1a14aa075a711fb207d4e52b0
SHA1

843e35adf376be6ca6c9a16fb5025b8176c47d50
SHA256

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17
SHA512

247ec64e023f30bb32752ccb853a3c2d8bccecb6d854db1b92ae3981229387182648f1db5d241e9c85c099db0d78a8e6aac04d99698b45088de2aa38fdb42481
SSDEEP

3072:oNpD5Iaa43WwkjuUUUUUv88AbbbMI8TqjFei7N6xpsz:qFIaa43WpjuUUUUUv88k8ej8iAPc

Score

10^/10

vobfus persistence upx worm

Malware Config

Signatures

Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\9ZOK0LE4KJ3SJ = "C:\\Users\\Admin\\AppData\\Roaming\\5G5HSPCDW7G.exe"	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\9ZOK0LE4KJ3SJ = "C:\\Users\\Admin\\AppData\\Roaming\\5G5HSPCDW7G.exe"	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4884-134-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral2/memory/4884-137-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral2/memory/4884-138-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral2/memory/4884-141-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral2/memory/4884-142-0x0000000000400000-0x000000000054D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9ZOK0LE4KJ3SJ = "C:\\Users\\Admin\\AppData\\Roaming\\5G5HSPCDW7G.exe"	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9ZOK0LE4KJ3SJ = "C:\\Users\\Admin\\AppData\\Roaming\\5G5HSPCDW7G.exe"	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

description	pid	process	target process
PID 4132 set thread context of 4884	4132	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	70	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

pid process

4884 d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

pid process

4884 d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

pid	process
4884	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

pid	process
4884	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exed23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe

description	pid	process	target process
PID 4132 wrote to memory of 4884	4132	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 4132 wrote to memory of 4884	4132	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 4132 wrote to memory of 4884	4132	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 4132 wrote to memory of 4884	4132	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 4132 wrote to memory of 4884	4132	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 4132 wrote to memory of 4884	4132	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 4132 wrote to memory of 4884	4132	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
PID 4884 wrote to memory of 4172	4884	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	regsvr32.exe
PID 4884 wrote to memory of 4172	4884	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	regsvr32.exe
PID 4884 wrote to memory of 4172	4884	d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
"C:\Users\Admin\AppData\Local\Temp\d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4132

C:\Users\Admin\AppData\Local\Temp\d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
C:\Users\Admin\AppData\Local\Temp\d23fd3391f543127b84dca44977bed1151549dadedca4b0b142e3b0ba0676d17.exe
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\MSWINSCK.OCX" /s
3⤵
PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSWINSCK.OCX
Filesize
41KB

MD5
5d3599dc87ed27162409d2ebe9356a42

SHA1
d7047e8d2395d0a3a72c659bcbadc8a1d1568672

SHA256
aa8de880d0dc94a087dd0b6d9d6a877e93b09d04df6512046f2b980a5f35eefb

SHA512
4791759f9daaae0ffc0232e87b12fb29cdba23aa40250384a4c5fcdf2d76b1424ef3f732a37616beb39a2c41636376954f104e2c2175c42e42de5bac713632b1

Download Submit
memory/4132-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4132-136-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4172-143-0x0000000000000000-mapping.dmp

Download
memory/4884-133-0x0000000000000000-mapping.dmp

Download
memory/4884-134-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4884-137-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4884-138-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4884-141-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/4884-142-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads