Malware Analysis Report

2025-08-05 19:17

Sample ID 240513-mjfjwabd28
Target 3f0a46b1febcd33e25da42f6b491a273_JaffaCakes118
SHA256 033570bf95d42dad2652ed0662a2369d954d4580d1b872ea44041697d0edc237
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

033570bf95d42dad2652ed0662a2369d954d4580d1b872ea44041697d0edc237

Threat Level: Known bad

The file 3f0a46b1febcd33e25da42f6b491a273_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Maps connected drives based on registry

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Suspicious use of SetWindowsHookAW

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 10:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-13 10:29

Reported

2024-05-13 10:31

Platform

win7-20240508-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\jifih.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\jifih.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /v" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /q" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /t" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /i" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /u" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /j" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /m" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /z" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /g" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /s" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /a" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /l" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /y" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /p" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /b" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /o" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /x" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /n" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /h" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /w" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /c" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /r" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /f" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /v" C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /d" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /e" C:\Users\Admin\jifih.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\jifih = "C:\\Users\\Admin\\jifih.exe /k" C:\Users\Admin\jifih.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\jifih.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

C:\Users\Admin\jifih.exe

"C:\Users\Admin\jifih.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 748

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.helpchecks.net udp

Files

\Users\Admin\jifih.exe

MD5 b1cf248d516223fbd98fe59c6de4747f
SHA1 0045b4d6ff504e928e2315bb8d4196f5bd8ab62b
SHA256 404a424cfa1fba436e01c9d195844a4a925947b87ceb287d0a82f3a5d00563cf
SHA512 8c0d45afd4aad297cd69e675d6218f6bd9550994c9a69f05035b6c554576a81a7790e47effca2ffeac41d27b7ac92fc081b2b29b1f48553a5e9b70ea4217485d

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-13 10:29

Reported

2024-05-13 10:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\koiemo.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\koiemo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /o" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /m" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /k" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /z" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /g" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /v" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /j" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /d" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /l" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /c" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /n" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /y" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /u" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /t" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /i" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /q" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /w" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /a" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /x" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /h" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /e" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /p" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /b" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /f" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /j" C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /s" C:\Users\Admin\koiemo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiemo = "C:\\Users\\Admin\\koiemo.exe /r" C:\Users\Admin\koiemo.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\koiemo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\koiemo.exe
PID 3940 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\koiemo.exe
PID 3940 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\koiemo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

C:\Users\Admin\koiemo.exe

"C:\Users\Admin\koiemo.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3940 -ip 3940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1448

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ns1.helpchecks.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp

Files

C:\Users\Admin\koiemo.exe

MD5 16cf87f7b73ceaa91e67b71ad90751b8
SHA1 174b41c2251a917fd845e9fd58d0e918a38eb838
SHA256 fc98af857f44d435f5736eb9508d3b48304c58b1b3d786ac685c179743d8d43e
SHA512 707846c7b093751efbc7c531972c369ec00415454d4e1b1ee42b590c2933f9107ba74b3d83f077886473173225cd050207dac3db6ebcb142a0b8bfbf8283465e

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-13 10:29

Reported

2024-05-13 10:31

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\neeeha.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\neeeha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /k" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /y" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /l" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /r" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /b" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /d" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /m" C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /h" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /a" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /x" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /f" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /s" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /q" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /e" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /c" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /n" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /i" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /v" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /u" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /p" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /z" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /j" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /m" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /g" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /o" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /t" C:\Users\Admin\neeeha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\neeeha = "C:\\Users\\Admin\\neeeha.exe /w" C:\Users\Admin\neeeha.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\neeeha.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\neeeha.exe
PID 1876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\neeeha.exe
PID 1876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\neeeha.exe
PID 1876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\neeeha.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

C:\Users\Admin\neeeha.exe

"C:\Users\Admin\neeeha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.helpupdater.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp
FI 193.166.255.171:9003 ns1.helpupdater.net tcp
US 8.8.8.8:53 ns1.helpupdated.net udp

Files

\Users\Admin\neeeha.exe

MD5 3ad9cde08bcb6a286532e5e9f6ee5bdf
SHA1 a51386e3fed1188531ec5546746b66a59b3b088d
SHA256 010cf59aff841dd000bb7697a74abfc0e8f394d2b402a5463515de3ec51530d7
SHA512 3910bc0fcd392d70a98ef3658fcd8313b5d6e252ccb07474d478a836142df68c83af5bf47b28586a6b03d79b65711c7d4425e2de0890a7ec3093c0c4093ed080

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-13 10:29

Reported

2024-05-13 10:32

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookAW

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del WORM_VOBFUS.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.178.138:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 138.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 759691.zdns.eu udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 10:29

Reported

2024-05-13 10:31

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\rfqieb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\rfqieb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /m" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /q" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /j" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /z" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /v" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /p" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /h" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /u" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /y" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /f" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /o" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /t" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /i" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /b" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /r" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /w" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /d" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /b" C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /x" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /g" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /e" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /a" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /c" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /k" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /s" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /l" C:\Users\Admin\rfqieb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\rfqieb = "C:\\Users\\Admin\\rfqieb.exe /n" C:\Users\Admin\rfqieb.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\rfqieb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe

"C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe"

C:\Users\Admin\rfqieb.exe

"C:\Users\Admin\rfqieb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.musiczipz.com udp
US 8.8.8.8:53 ns1.musicmixa.net udp
US 8.8.8.8:53 ns1.musicmixa.org udp
US 8.8.8.8:53 ns1.musicmixb.co udp
US 8.8.8.8:53 ns1.musicmixc.com udp

Files

C:\Users\Admin\rfqieb.exe

MD5 3d2bfefedd9c6ca71478e529b119a2fd
SHA1 b5959f5110baa7690c5e9157689d5efb325d1a79
SHA256 8c996dae289fa90ad3113f16e4dfec553fe7ac94f1e59a5ce2bcc90f5be0e3e8
SHA512 a20fc03651c88bf14c190dcb483201cbbf7b4d018e74cd5eb8b4222b0a525a7406de554c5a6c2cde57d6b7f1e1dfd05dd0220230cdc5ce344eabeb44e00da7de

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-13 10:29

Reported

2024-05-13 10:32

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\yajip.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\yajip.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /m" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /k" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /x" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /w" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /j" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /d" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /n" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /r" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /g" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /f" C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /b" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /v" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /i" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /o" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /l" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /a" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /p" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /c" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /y" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /t" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /h" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /z" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /q" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /f" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /e" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /u" C:\Users\Admin\yajip.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yajip = "C:\\Users\\Admin\\yajip.exe /s" C:\Users\Admin\yajip.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\yajip.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\yajip.exe
PID 4424 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\yajip.exe
PID 4424 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe C:\Users\Admin\yajip.exe

Processes

C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

C:\Users\Admin\yajip.exe

"C:\Users\Admin\yajip.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.helpupdater.net udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdated.org udp
US 8.8.8.8:53 ns1.helpupdatek.at udp
US 8.8.8.8:53 ns1.helpupdatek.eu udp
US 8.8.8.8:53 ns1.helpupdatek.tw udp
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdated.com udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\yajip.exe

MD5 cd2e36438b8189e3417a1e121c64dfe9
SHA1 8b538409de05379228baac00275c0fe9aa7acd29
SHA256 cc920df09426c1cbeb030b36288cc4d90edea5580ee0438cd1256da8a67ea7f2
SHA512 59619b2aa41787d4be77ae922ac301849b2d64955fdaa77a25896d589415a14e573ba3abc793227c406e97ed01d68f7c37230df2c33a0523800fcf1084af0a72

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-13 10:29

Reported

2024-05-13 10:32

Platform

win7-20240221-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookAW

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe

"C:\Users\Admin\AppData\Local\Temp\WORM_VOBFUS.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c tasklist&&del WORM_VOBFUS.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 759691.zdns.eu udp

Files

memory/2876-2-0x0000000003670000-0x000000000412A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 10:29

Reported

2024-05-13 10:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\goewit.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\goewit.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /y" C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /z" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /q" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /f" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /m" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /l" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /n" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /w" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /d" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /u" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /r" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /a" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /h" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /x" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /b" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /v" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /p" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /i" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /y" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /e" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /g" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /s" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /t" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /c" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /o" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /j" C:\Users\Admin\goewit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\goewit = "C:\\Users\\Admin\\goewit.exe /k" C:\Users\Admin\goewit.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe N/A
N/A N/A C:\Users\Admin\goewit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe

"C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe"

C:\Users\Admin\goewit.exe

"C:\Users\Admin\goewit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.musiczipz.com udp
US 8.8.8.8:53 ns1.musicmixa.net udp
US 8.8.8.8:53 ns1.musicmixa.org udp
US 8.8.8.8:53 ns1.musicmixb.co udp
US 8.8.8.8:53 ns1.musicmixc.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\goewit.exe

MD5 cc037b05fa5fbd0d8dd20698a0d33c7a
SHA1 f2798579639da7f4bf82a3f15f8828f4515ecdad
SHA256 348c7992fab56a12ee9ec30cc962ffe3ed7078fb2784ad32bfdb8045a54e2cc2
SHA512 810a74528f2a0e8c8947116bea599343c37c10635f91c96f7c30006f91d470fcce4c085dffdf8ff39027b3e05fae6830ffc9023b4c07c06765661d0b080f7c1b