Resubmissions

08/07/2025, 08:09

250708-j16kvavwcx 10

04/07/2025, 04:30

250704-e483xsap8v 10

13/05/2024, 10:29

240513-mjfjwabd28 10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 10:29

General

  • Target

    323CANON.EXE_WORM_VOBFUS.exe

  • Size

    300KB

  • MD5

    70f0b7bd55b91de26f9ed6f1ef86b456

  • SHA1

    d774cdaa9082ac15feb9514e7364d76092a6807a

  • SHA256

    fe32599d6f2d1a874b65928cfd01a87f9d0a83d2b1e30b8f1148c8ad8aefd985

  • SHA512

    3928885f382a5f833eb2c2b4641b8227138dce4cb161cae3049e837ba13384119ec8aaf70c6e85c99583c07db18bbaab77e19bdc3485f9e23adb3be3d0ab7912

  • SSDEEP

    3072:XMIQ/iifD4gfGWKdbKsQOO1HobSp0xl6EPpc4VpJzNDdlcjBPZz:XBciib4gfGWcmsQobG0xlfPpndiVPB

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe
    "C:\Users\Admin\AppData\Local\Temp\323CANON.EXE_WORM_VOBFUS.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\goewit.exe
      "C:\Users\Admin\goewit.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3940

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\goewit.exe

          Filesize

          300KB

          MD5

          cc037b05fa5fbd0d8dd20698a0d33c7a

          SHA1

          f2798579639da7f4bf82a3f15f8828f4515ecdad

          SHA256

          348c7992fab56a12ee9ec30cc962ffe3ed7078fb2784ad32bfdb8045a54e2cc2

          SHA512

          810a74528f2a0e8c8947116bea599343c37c10635f91c96f7c30006f91d470fcce4c085dffdf8ff39027b3e05fae6830ffc9023b4c07c06765661d0b080f7c1b