bfbb0c9687fa8e3d87a0d5cbf400d43f6072ba1081ae3e65834bb31e4e5d18e2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Email-Worm.MyDoom.NF.exe
Size

44KB
MD5

f0a4e1b9f16bedb637748b0ae2d38b0b
SHA1

36a61581ee833366a2f75c900cba601a3b317105
SHA256

0ead89a60b4d19bfca4a7d25391acf27e21a2e921eeb45327e1e23737f89a806
SHA512

3754150ab510d9bf8b4f1cb98edd16616af5e0bcb777c821368573b53e2a76590568a0d9812ea4e4ccf0171e912ede3240d00b35c437b8f0696585276a3472d0
SSDEEP

768:SCIqdH/k1ZVcT194jp4yEP5w+814Rz6C3+SOGw8crAmvGFpUqMt:SNqaLV8a6yEPe+8KX3JM

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral14/memory/5040-0-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral14/memory/5040-3-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral14/memory/5040-5-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral14/memory/5040-7-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral14/memory/5040-9-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral14/memory/5040-11-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral14/memory/5040-13-0x0000000000800000-0x000000000080D000-memory.dmp	upx
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Harry Potter.exe	upx
behavioral14/memory/5040-37-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral14/memory/5040-123-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral14/memory/5040-132-0x0000000000800000-0x000000000080D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Email-Worm.MyDoom.NF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	Email-Worm.MyDoom.NF.exe

Drops file in Program Files directory 64 IoCs

Processes:

Email-Worm.MyDoom.NF.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Harry Potter.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\ICQ 4 Lite.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\index.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\Kazaa Lite.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\Winamp 5.0 (en).exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\Harry Potter.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\index.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\Kazaa Lite.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\ICQ 4 Lite.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\WinRAR.v.3.2.and.key.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Kazaa Lite.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\WinRAR.v.3.2.and.key.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Harry Potter.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ICQ 4 Lite.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\ICQ 4 Lite.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\index.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\index.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\Harry Potter.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\index.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\Harry Potter.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Winamp 5.0 (en) Crack.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\Harry Potter.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\WinRAR.v.3.2.and.key.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Winamp 5.0 (en) Crack.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\WinRAR.v.3.2.and.key.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\Kazaa Lite.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\WinRAR.v.3.2.and.key.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\index.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\Winamp 5.0 (en) Crack.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\Kazaa Lite.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\Harry Potter.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Winamp 5.0 (en).com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Kazaa Lite.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\ICQ 4 Lite.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\ICQ 4 Lite.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\Winamp 5.0 (en).com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Winamp 5.0 (en) Crack.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\Kazaa Lite.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\WinRAR.v.3.2.and.key.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Winamp 5.0 (en).ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\index.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\Winamp 5.0 (en).com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\WinRAR.v.3.2.and.key.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\WinRAR.v.3.2.and.key.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\Kazaa Lite.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Kazaa Lite.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Winamp 5.0 (en) Crack.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\Winamp 5.0 (en) Crack.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\Kazaa Lite.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\WinRAR.v.3.2.and.key.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Kazaa Lite.ShareReactor.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\Winamp 5.0 (en) Crack.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Winamp 5.0 (en) Crack.com	Email-Worm.MyDoom.NF.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Harry Potter.ShareReactor.com	Email-Worm.MyDoom.NF.exe

Drops file in Windows directory 2 IoCs

Processes:

Email-Worm.MyDoom.NF.exe

description	ioc	process
File opened for modification	C:\Windows\lsass.exe	Email-Worm.MyDoom.NF.exe
File created	C:\Windows\lsass.exe	Email-Worm.MyDoom.NF.exe

C:\Users\Admin\AppData\Local\Temp\Email-Worm.MyDoom.NF.exe
"C:\Users\Admin\AppData\Local\Temp\Email-Worm.MyDoom.NF.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Harry Potter.exe

Filesize
44KB

MD5
f0a4e1b9f16bedb637748b0ae2d38b0b

SHA1
36a61581ee833366a2f75c900cba601a3b317105

SHA256
0ead89a60b4d19bfca4a7d25391acf27e21a2e921eeb45327e1e23737f89a806

SHA512
3754150ab510d9bf8b4f1cb98edd16616af5e0bcb777c821368573b53e2a76590568a0d9812ea4e4ccf0171e912ede3240d00b35c437b8f0696585276a3472d0

Download Submit
memory/5040-0-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/5040-3-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/5040-5-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/5040-7-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/5040-9-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/5040-11-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/5040-13-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/5040-37-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/5040-123-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/5040-132-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download