Overview
overview
10Static
static
3323CANON.E...US.exe
windows7-x64
10323CANON.E...US.exe
windows10-2004-x64
10WORM_VOBFUS.exe
windows7-x64
10WORM_VOBFUS.exe
windows10-2004-x64
10WORM_VOBFUS.exe
windows7-x64
10WORM_VOBFUS.exe
windows10-2004-x64
10WORM_VOBFUS.exe
windows7-x64
7WORM_VOBFUS.exe
windows10-2004-x64
7Resubmissions
08/07/2025, 08:09
250708-j16kvavwcx 1004/07/2025, 04:30
250704-e483xsap8v 1013/05/2024, 10:29
240513-mjfjwabd28 10Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
323CANON.EXE_WORM_VOBFUS.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
323CANON.EXE_WORM_VOBFUS.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
WORM_VOBFUS.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
WORM_VOBFUS.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
WORM_VOBFUS.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
WORM_VOBFUS.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
WORM_VOBFUS.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
WORM_VOBFUS.exe
Resource
win10v2004-20240226-en
General
-
Target
WORM_VOBFUS.exe
-
Size
92KB
-
MD5
4e15d812491ff0454f1e9393675b1c60
-
SHA1
ec9291957872191902fb525641040b42e057acd8
-
SHA256
e4d0b740421cfba7e7e4a30a2a69d59486e7347979af94145fb8f335960c33d5
-
SHA512
9554e4e882a176b7b38b55dc2a80400354aae90a12e7e0c3a4f481e68032423f65f28c439621dc27fdf4c99e8ad10aaed949f140398970480c26aa574b7a5982
-
SSDEEP
768:29QXHugT0lvlq/P1vwwrnkjBt1TJk8vK8GSdrD9wGy241ZUb/CxhYLJP30UOEGaK:i0PuBpmUbaxeLd4IfmkBwC8BD+KBq2x
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2572 cmd.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum WORM_VOBFUS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 WORM_VOBFUS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2576 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2576 tasklist.exe -
Suspicious use of SetWindowsHookAW 64 IoCs
pid Process 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2876 WORM_VOBFUS.exe 2876 WORM_VOBFUS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2572 2876 WORM_VOBFUS.exe 29 PID 2876 wrote to memory of 2572 2876 WORM_VOBFUS.exe 29 PID 2876 wrote to memory of 2572 2876 WORM_VOBFUS.exe 29 PID 2876 wrote to memory of 2572 2876 WORM_VOBFUS.exe 29 PID 2572 wrote to memory of 2576 2572 cmd.exe 31 PID 2572 wrote to memory of 2576 2572 cmd.exe 31 PID 2572 wrote to memory of 2576 2572 cmd.exe 31 PID 2572 wrote to memory of 2576 2572 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookAW
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del WORM_VOBFUS.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-