Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 03:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Worm.Win32.Vobfus.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
Worm.Win32.Vobfus.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
Worm.Win32.Vobfus.exe
-
Size
204KB
-
MD5
96d9306823100a8371b7602112aa8dc0
-
SHA1
cd04b8fe5db0c0d518bcae12ed02d2a3b30398a0
-
SHA256
2f38f3e5ff93dda7b69a76c5851830e28882d8db55c9ceac4413734010dd1b0a
-
SHA512
904c6d4c41cbc0bc7c282687e05f5248783a90f8b94fb968fc3e4577c48f79609b13070ea6c1092f707956cc18b9180bace348408230b7916454ce62788d9b3a
-
SSDEEP
3072:8mHW8K0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWqh:n2N4QxL7B9W0c1RCzR/fSmlt
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Worm.Win32.Vobfus.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fuuqiy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Worm.Win32.Vobfus.exe -
Executes dropped EXE 1 IoCs
pid Process 1000 fuuqiy.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /e" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /c" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /l" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /u" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /n" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /i" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /p" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /r" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /o" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /a" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /b" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /j" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /h" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /y" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /w" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /q" Worm.Win32.Vobfus.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /f" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /k" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /x" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /m" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /d" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /s" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /t" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /v" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /q" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /z" fuuqiy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuuqiy = "C:\\Users\\Admin\\fuuqiy.exe /g" fuuqiy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Worm.Win32.Vobfus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fuuqiy.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3292 Worm.Win32.Vobfus.exe 3292 Worm.Win32.Vobfus.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe 1000 fuuqiy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3292 Worm.Win32.Vobfus.exe 1000 fuuqiy.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3292 wrote to memory of 1000 3292 Worm.Win32.Vobfus.exe 86 PID 3292 wrote to memory of 1000 3292 Worm.Win32.Vobfus.exe 86 PID 3292 wrote to memory of 1000 3292 Worm.Win32.Vobfus.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Vobfus.exe"C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Vobfus.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\fuuqiy.exe"C:\Users\Admin\fuuqiy.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1000
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5756d80c23063b510c7842e0a2edbdffb
SHA1ec0a8c3116a4eee6cad7427db5626a8fe87f7c58
SHA2564ad365d364e1c7945b47e17da11e7660aade4ec48865e872e87fb5fe25d54ba1
SHA512b8c59a3f036abfd902aa0faebd80f13fd14eb28b4c6cd8d30e6454c4bde28695428102d7b962e931572c9678fdba2cbaec537ca399d4ef9a129a86eb088aca88