Overview
overview
10Static
static
3323CANON.E...US.exe
windows7-x64
10323CANON.E...US.exe
windows10-2004-x64
10WORM_VOBFUS.exe
windows7-x64
10WORM_VOBFUS.exe
windows10-2004-x64
10WORM_VOBFUS.exe
windows7-x64
10WORM_VOBFUS.exe
windows10-2004-x64
10WORM_VOBFUS.exe
windows7-x64
7WORM_VOBFUS.exe
windows10-2004-x64
7Resubmissions
08/07/2025, 08:09
250708-j16kvavwcx 1004/07/2025, 04:30
250704-e483xsap8v 1013/05/2024, 10:29
240513-mjfjwabd28 10Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
323CANON.EXE_WORM_VOBFUS.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
323CANON.EXE_WORM_VOBFUS.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
WORM_VOBFUS.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
WORM_VOBFUS.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
WORM_VOBFUS.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
WORM_VOBFUS.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
WORM_VOBFUS.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
WORM_VOBFUS.exe
Resource
win10v2004-20240226-en
General
-
Target
323CANON.EXE_WORM_VOBFUS.exe
-
Size
300KB
-
MD5
70f0b7bd55b91de26f9ed6f1ef86b456
-
SHA1
d774cdaa9082ac15feb9514e7364d76092a6807a
-
SHA256
fe32599d6f2d1a874b65928cfd01a87f9d0a83d2b1e30b8f1148c8ad8aefd985
-
SHA512
3928885f382a5f833eb2c2b4641b8227138dce4cb161cae3049e837ba13384119ec8aaf70c6e85c99583c07db18bbaab77e19bdc3485f9e23adb3be3d0ab7912
-
SSDEEP
3072:XMIQ/iifD4gfGWKdbKsQOO1HobSp0xl6EPpc4VpJzNDdlcjBPZz:XBciib4gfGWcmsQobG0xlfPpndiVPB
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 323CANON.EXE_WORM_VOBFUS.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rfqieb.exe -
Executes dropped EXE 1 IoCs
pid Process 1808 rfqieb.exe -
Loads dropped DLL 2 IoCs
pid Process 2236 323CANON.EXE_WORM_VOBFUS.exe 2236 323CANON.EXE_WORM_VOBFUS.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /m" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /q" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /j" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /z" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /v" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /p" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /h" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /u" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /y" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /f" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /o" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /t" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /i" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /b" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /r" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /w" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /d" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /b" 323CANON.EXE_WORM_VOBFUS.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /x" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /g" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /e" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /a" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /c" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /k" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /s" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /l" rfqieb.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /n" rfqieb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2236 323CANON.EXE_WORM_VOBFUS.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe 1808 rfqieb.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2236 323CANON.EXE_WORM_VOBFUS.exe 1808 rfqieb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1808 2236 323CANON.EXE_WORM_VOBFUS.exe 28 PID 2236 wrote to memory of 1808 2236 323CANON.EXE_WORM_VOBFUS.exe 28 PID 2236 wrote to memory of 1808 2236 323CANON.EXE_WORM_VOBFUS.exe 28 PID 2236 wrote to memory of 1808 2236 323CANON.EXE_WORM_VOBFUS.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe"C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\rfqieb.exe"C:\Users\Admin\rfqieb.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300KB
MD53d2bfefedd9c6ca71478e529b119a2fd
SHA1b5959f5110baa7690c5e9157689d5efb325d1a79
SHA2568c996dae289fa90ad3113f16e4dfec553fe7ac94f1e59a5ce2bcc90f5be0e3e8
SHA512a20fc03651c88bf14c190dcb483201cbbf7b4d018e74cd5eb8b4222b0a525a7406de554c5a6c2cde57d6b7f1e1dfd05dd0220230cdc5ce344eabeb44e00da7de