Overview
overview
10Static
static
3323CANON.E...US.exe
windows7-x64
10323CANON.E...US.exe
windows10-2004-x64
10WORM_VOBFUS.exe
windows7-x64
10WORM_VOBFUS.exe
windows10-2004-x64
10WORM_VOBFUS.exe
windows7-x64
10WORM_VOBFUS.exe
windows10-2004-x64
10WORM_VOBFUS.exe
windows7-x64
7WORM_VOBFUS.exe
windows10-2004-x64
7Resubmissions
08/07/2025, 08:09
250708-j16kvavwcx 1004/07/2025, 04:30
250704-e483xsap8v 1013/05/2024, 10:29
240513-mjfjwabd28 10Analysis
-
max time kernel
140s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
323CANON.EXE_WORM_VOBFUS.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
323CANON.EXE_WORM_VOBFUS.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
WORM_VOBFUS.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
WORM_VOBFUS.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
WORM_VOBFUS.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
WORM_VOBFUS.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
WORM_VOBFUS.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
WORM_VOBFUS.exe
Resource
win10v2004-20240226-en
General
-
Target
WORM_VOBFUS.exe
-
Size
92KB
-
MD5
4e15d812491ff0454f1e9393675b1c60
-
SHA1
ec9291957872191902fb525641040b42e057acd8
-
SHA256
e4d0b740421cfba7e7e4a30a2a69d59486e7347979af94145fb8f335960c33d5
-
SHA512
9554e4e882a176b7b38b55dc2a80400354aae90a12e7e0c3a4f481e68032423f65f28c439621dc27fdf4c99e8ad10aaed949f140398970480c26aa574b7a5982
-
SSDEEP
768:29QXHugT0lvlq/P1vwwrnkjBt1TJk8vK8GSdrD9wGy241ZUb/CxhYLJP30UOEGaK:i0PuBpmUbaxeLd4IfmkBwC8BD+KBq2x
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WORM_VOBFUS.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum WORM_VOBFUS.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 WORM_VOBFUS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4816 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4816 tasklist.exe -
Suspicious use of SetWindowsHookAW 64 IoCs
pid Process 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4268 WORM_VOBFUS.exe 4268 WORM_VOBFUS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4268 wrote to memory of 3360 4268 WORM_VOBFUS.exe 91 PID 4268 wrote to memory of 3360 4268 WORM_VOBFUS.exe 91 PID 4268 wrote to memory of 3360 4268 WORM_VOBFUS.exe 91 PID 3360 wrote to memory of 4816 3360 cmd.exe 94 PID 3360 wrote to memory of 4816 3360 cmd.exe 94 PID 3360 wrote to memory of 4816 3360 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetWindowsHookAW
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del WORM_VOBFUS.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3924