Overview

overview

10

Static

static

7

Mydoom/00b...f7.exe

windows11-21h2-x64

1

Mydoom/055...81.exe

windows11-21h2-x64

Mydoom/0b7...c5.exe

windows11-21h2-x64

8

Mydoom/0d5...64.exe

windows11-21h2-x64

10

Mydoom/176...9c.exe

windows11-21h2-x64

7

Mydoom/1fe...81.exe

windows11-21h2-x64

7

Mydoom/233...98.exe

windows11-21h2-x64

7

Mydoom/252...03.exe

windows11-21h2-x64

7

Mydoom/2af...b2.exe

windows11-21h2-x64

7

Mydoom/3d9...64.exe

windows11-21h2-x64

7

Mydoom/3db...e5.exe

windows11-21h2-x64

7

Mydoom/493...dc.exe

windows11-21h2-x64

7

Mydoom/4d6...08.exe

windows11-21h2-x64

7

Mydoom/564...2a.exe

windows11-21h2-x64

7

Mydoom/6c3...4c.exe

windows11-21h2-x64

7

Mydoom/6c3...c3.exe

windows11-21h2-x64

7

Mydoom/771...20.exe

windows11-21h2-x64

7

Mydoom/7bc...61.exe

windows11-21h2-x64

7

Mydoom/8e9...88.exe

windows11-21h2-x64

7

Mydoom/9a7...60.exe

windows11-21h2-x64

7

Mydoom/9e0...f3.exe

windows11-21h2-x64

7

Mydoom/Myd...06.exe

windows11-21h2-x64

10

Mydoom/Myd...5c.exe

windows11-21h2-x64

6

Mydoom/Myd...fc.exe

windows11-21h2-x64

10

Mydoom/Myd...59.exe

windows11-21h2-x64

1

Mydoom/Myd...64.exe

windows11-21h2-x64

7

Mydoom/Myd...76.exe

windows11-21h2-x64

10

Mydoom/a9a...0f.exe

windows11-21h2-x64

7

Mydoom/b4a...95.exe

windows11-21h2-x64

7

Mydoom/c03...ef.exe

windows11-21h2-x64

8

Mydoom/c45...24.exe

windows11-21h2-x64

7

Mydoom/d42...06.exe

windows11-21h2-x64

7

Resubmissions

12-06-2024 08:28

240612-kcy2jawckj 10

10-06-2024 17:27

240610-v1ktxsvbpk 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Mydooms.zip

  • Size

    7.3MB

  • Sample

    240610-v1ktxsvbpk

  • MD5

    d9bbe9314e8114fa2cc00422b09fdd9d

  • SHA1

    a138d7a8c054d8dd9904f6fb378d51af02385a52

  • SHA256

    dbcc1bec2dbc4002cfdade40966eb639ccf4da67a7b9728f444beb1d35ed4f7f

  • SHA512

    79c96afd2bedb2ed22027cd135678db411fedeba92e481d2e410eb516cb26d8c8aebf3d63ed8941a91f70dee75a5fa2dfdff8c2bec07c205ac33710f2dff635f

  • SSDEEP

    196608:RyiXnVyuWadlIK+eU3hW0y9PnO+K8Lsi2L:AiXnVyuWaP6eahWPNPt2L

Score
10/10
dcratsatancryptorzebrocybackdoorbootkitdiscoveryevasionexecutioninfostealerpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected] (Backup mail) Send us this file RESTORE_FILES_INFO ================================================================================================================= Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) ====================================================== You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country ================================================================================================================= IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! ================================================================================================================= Key Identifier: my3sl9Yq1PK+YbpDrFH8dPMJiCTTIkoWj/yeg716ne9MGia5ULFpc1Mgi7UiDTNp+7VO9+bbcF20nkvmv4LXT82iki6X0cXcUljnVrLG3vrYOQU3Pdkxa2glJfh/wYlgW8zetKm8uyH+XkP2NfkCwdcmPcEXivuNCZ8NspdXPYYy6S9bZnmIYedqOW84j7MIPJJk/Tinm31hZCDMyLRlo46ya6LBvofFnhxoT+/zf3RYEV66ZJ5g+VCGpuxKtwdjwndHqtrSCT3G4vpsCKpoZnrLyl6TvDQFUfmIX2himhp269YuId2sr/nd6O6sqdxTyoX5GJa0ymznfE1wD2HjNLM5NlnzAGJC93rx5Jyf4sRwADl08PK2w1TYG0VL2zZ//zX8OShiL0lwD4nWSyD4cjaENLubeHu+eZlcI45FPARHfKzId3vuJm/uS01nK45yJ1br7TEFqgni3pFzdJVp2w15SMV2T7wbTgBXC95vMdnWKu0M6J7UbILMDl2X7KAhuyi+wtIQmROyFM2Sj6Nqy6uuFAt++6kqHmEhYjzcYY1oXPSB7JP6sD0PK/KZPfP/fI2Ly8RFyCTerzRSrwji/E61a7Dy248gYYWkMcd9U8UI9+jRTm+ySlp/a3ntEl2dQK1wLmB49aeBn+gXsf/b7DcwSzORCjOahyfssYHIJdo= Number of files that were processed is: 1095 PC Hardware ID: 3EBBE295

Extracted

Path

C:\ProgramData\Adobe\# SATAN CRYPTOR #.hta

Ransom Note
<html> <head> <title>SATAN CRYPTOR</title> <HTA:APPLICATION ID="" APPLICATIONNAME="" BORDER="DIALOG" MAXIMIZEBUTTON="NO" SCROLLFLAT="YES" CAPTION="YES" SELECTION="NO" INNERBORDER="NO" ICON="" SCROLL="NO" SHOWINTASKBAR="YES" SINGLEINSTANCE="YES" SYSMENU="YES" WINDOWSTATE="NORMAL" /> </head> <script language=javascript> var winWidth = 800; var winHeight = 600; window.resizeTo(winWidth, winHeight); window.moveTo(screen.width/2-winWidth/2, screen.height/2-winHeight/2); </script> <body bgcolor=buttonface text=buttontext style="font: 10pt 'Tahoma'"> <div style="font-weight:bold; font:16pt; text-align: center" id="Tittle">Attention!</div> <br> <div style="padding:15px" id="SubTittle"> Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the cipher key recovery is impossible! <br> <br> To decrypt your files you need to buy the special software - <strong>SATAN DECRYPTOR</strong> and your <strong>Private Decryption Key</strong>. <br> <br> Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk. <br> <br> If you want to restore files, write us to the our e-mail: <strong>[email protected]</strong> <br> <br> Please write your <strong>Personal Identification Code</strong> in body of your message. <br> <br> Also attach to email 3 encrypted files for free decryption test. (each file have to be less than 1 MB size and not have valuable content) <br> <br> It is in your interest to respond as soon as possible to ensure the restoration of your files! <br> <br> Your <strong>Personal Identification Code</strong>: </div> <center> <textarea style="overflow:auto; font:10pt 'Tahoma'" name="TextArea" rows=10 cols=120 readonly>5354000000019B0400008FB90AAD48D581AE7DB065C5C2F99FD1E256CD68DA6E587A080F8EE44F200FD91309F52F717C272ED5AD8A9AD27911DF722D8A0927B89083D0B878091E7F6D0D99E966940B1CCBACE3C42D74DDF4CB2422FBBB67EC1782A01F0D8F129E8AB3EE32B9C4B4ED28B7D622316CA68539F07BF90BF61BCFACB72809D76E9B83C4E6336E3AF99A36FDFE59A6C19A4A6E7C2DD9DC766E32CA07E4FEE706851C10222D1BEBB6E9F42E85445A680C990586B7597C6D68FF0B4A2F3B96687829A21BBF3FDA6273F6C739961EE8C939AB59AE14CDFCA3C60F0129040764641D0D3EFFFBAD9BA9494608F1EF73201FF530FF83B41A283E522BE484177FC0E5807B8D845A628DD2E72005267232E55F514932F1A5D372E94DC603542FC81E47BAFE27CA30893F4CB4E1AE252C16E88AED5B764B924DCA3F2C6D3019BF8F492EB98F58F1595AB82AD9EF9DC571FA52A3B6F00FE36632E65761AA4914718336EC54C18F9A9B4752F9FD44AE589A31D53B88C6E8327126C48082652A06A360D124C9265D4939EB43D0CAA331889DEE5F99111616AE09F08CDD71865AAC30738113A66BA4175E579D7C90A7F9BFDA908D7C51B99CC1916C3AA5C154A962F7ECFA72DEB2B55974F76021AE9ECA5B75688C7FF8897380D777C237D28C85BBDAB572B309782C4E7065E4628CA6631ECD52DF4E15B8A230050D139839078CD8CB0399208D7F1CB68F9EFB5D6ED4B7672F010C95B4FB823C4A3BEA779B9EDFAB31B1470E10D2BCF71E9F94BA9378152B472BC5989F81A33ED2171FB22550EC07F0AD3DED7AF7A6BA2AAE34801671DF25EFCA2A30053084FC2335831CF0ADE70E58E3AF08B8F021965F8A08498A3C91A6B0D30AA394E670A4630475C6095469B54D90883A7C76B23BA5773AC47A0706662DBB44181FA13D2B466B8340589C54ED88E3BA5B63C94DDF95385F778C9264F620EF7B90F33CDAB0DCAB66E8F2380C114BF70EC13CD3C4B8702BE153096C6B019B17B454EFF49261ADC74847C33901BD709D95E7B7B4C95E65437A52F0E19F25C892B3CE59CC659C5B3B85A9A5CF3ACDF7EFFF89D0040B90F8FD04855B415D7AE7D5186130DCBB95B0C897CB4E10D461C5F833867D0D60FC0EBD54AE1FC9293F9FF21B288F0C26488889F4E998C69124037A3CEA3A57F650A57C1DA3455BF1CE13C5CDC3E1C0ABD8C414114F314029B46B0C3EAE2A0E43A451BFB76176C6163D3443E0D9A638AD435085466AE7D94E58918DCBBDD1AE470B138A7EB1336A177DF3D7D7C350E9E1D1ECD67FBBEEB4B7379B183D5E8510DD6B04A99BE8616E53E118C0E300C9B9A80A4A4B48942DEA83ADBCE9EE0AE1EC77E117122CB9BFFEADEFC0D1A110A03C0C7B2F654295BE68FD7011E81D614FA74E8D1EC286BB3F7DC3E3105762F57CFAB7805203E5354875E360175D516E96FDF8424FC691D19371682298DAB1028814ACAB4F9B22D1E120A05FEF26F04926F50A5A85B1307AC8D1AE8915239B553F1CF2FD03289CD3CF1A74C518A9D1B189D9256109F94C659B67C0CF479FC8F9B20015E93400D14CD4DB78254BA2159EAA31A50622395453EC40EB6AD1F736F44220A8F74D6534BE3DABC533C85A4492D1C3BF17ACC3A5E9039E86839FD56D81765730CC65F6DC17EE95EC0A889E4A2B0DAA2167E1F39A8B1717AD040000</textarea> </center> </body>
Emails

<strong>[email protected]</strong>

Extracted

Family

zebrocy

C2

Windows XP Professional x64 Edition

Targets

    • Target

      Mydoom/00b9b6cf27deeda8de99d1719ef724808afa92080026df8dd17159be8ea420f7.exe

    • Size

      879KB

    • MD5

      af466faccd8bbab030d12caf7b16ea61

    • SHA1

      e18711fe226d39fe182c45ea1a15ccc587980b67

    • SHA256

      00b9b6cf27deeda8de99d1719ef724808afa92080026df8dd17159be8ea420f7

    • SHA512

      2599b3b6db13c14e36bc24980da5457c8788624050ad727d2b1d8975b6405e1a6dfee9829a849900edcc7cc831b69604cce9e6e7e0080835e426df343a1d6e64

    • SSDEEP

      12288:D+of7uHr7XLo+U90C447TmTWCsNWGHBm++WDzLGfWCayErUUxmptN:Dr7uH3vu0B4OWZxPDnG5ErUn

    Score
    1/10
    behavioral1

    • Target

      Mydoom/05500734fe07ac2b5bc89aa12b090203c4b74851cb0d62bd388f27ec6d6caa81.exe

    • Size

      15KB

    • MD5

      32915fef0066f3a580ae9389d83e195f

    • SHA1

      e000d59d91a6039c28a628ec436f680f41e8ffec

    • SHA256

      05500734fe07ac2b5bc89aa12b090203c4b74851cb0d62bd388f27ec6d6caa81

    • SHA512

      57d43daac4bc5d550bed9724dc8c2041111dba3f3a52fca7b688e3d6b64267c34c537b8045d974e007412f504aeb3428f571c360b053faff7c040c4bc235cbd8

    • SSDEEP

      192:F7r4fe9FV9wQw0XJ58CWuVmcmLQ4k8Md0QiyIWNMrXRkf1ZdDjgXFk3AaDvFmv:FAfe7wQw+4Cc84ZM6eIkf1Z1jgXKHC

    Score
    1/10
    behavioral2

    • Target

      Mydoom/0b75e2fadffc45dff940e58f5b6f8d99832426bb880f432f98d853308b29c9c5.exe

    • Size

      355KB

    • MD5

      ff4c98aae03f63b8256dd765e99f5934

    • SHA1

      db774f2c4a2ed02f42effd6016e6ee7b8ae5cfde

    • SHA256

      0b75e2fadffc45dff940e58f5b6f8d99832426bb880f432f98d853308b29c9c5

    • SHA512

      eea1f000945adf51217d3b3e6faaa947c683de5c278ce0c7870360d959d65347804b563853d32ce2d49bd6fb0567c9d0d065ee561bb4b16d66af1bbd98197c1d

    • SSDEEP

      6144:wlZzOaQGDj25OFco79+ITkBXkHQYfrF1aK0FAbw1lZzOR0x0k5kPFOM+11c5K9b:YZTP2kioZD1rUxPZA0x/ksB9b

    Score
    8/10
    persistenceupx

    • Drops file in Drivers directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral3

    • Target

      Mydoom/0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe

    • Size

      9.4MB

    • MD5

      813b749967045532f86e6442447bcd8b

    • SHA1

      8d0615e7f7ba672a3fc94c05a9451f9d08797af7

    • SHA256

      0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464

    • SHA512

      47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877

    • SSDEEP

      24576:GYx7SFGwWG8/Ad5kybgeK8uQY2ZqR7NlaDbTxnVhv2MMLdGIhJ:IFFbK8q2ZhDbTNv2MuV

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Executes dropped EXE

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      Mydoom/1760c5727e5568d3b18a1cbf0d50c311613699af8233c96fb3eee197f438ce9c.exe

    • Size

      28KB

    • MD5

      e26570922a9373c1f3a06f647ddd10a4

    • SHA1

      e0f6853e39e0b9fbcb3062bb7e15b8734b9df9f3

    • SHA256

      1760c5727e5568d3b18a1cbf0d50c311613699af8233c96fb3eee197f438ce9c

    • SHA512

      e17a8c1ca8aa6c65106831086f203736b7bdd92c54d2487f381f7d7303a5f3852859935ef55a913dd8856c6015a5f9414308430ae1ff4b5690743025f8ff4c70

    • SSDEEP

      384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNQ05:Dv8IRRdsxq1DjJcqf8

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral5

    • Target

      Mydoom/1fe99fb7c527a90826896e695f23e712375358df3c7aa9163af6b96d872a9f81.exe

    • Size

      21KB

    • MD5

      26b8bc40d95b979e1e708a9f843242ad

    • SHA1

      229284e8cb74bbfae647eb160e4188bda3e50721

    • SHA256

      1fe99fb7c527a90826896e695f23e712375358df3c7aa9163af6b96d872a9f81

    • SHA512

      e53fb1b351f47227c1568718c99cc78048507518ac823cebccddebdc630845f9c972a746036f67d416275bdb1667d298ddd6a0fd4e0fea4dc096d7c2cfcf0625

    • SSDEEP

      384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzU4ek+:SCIqdH/k1ZVcT194jp44eD

    Score
    7/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral6

    • Target

      Mydoom/23361735678f37d77510b22306c727a987f84c87143bb0062f3d76413c36fc98.exe

    • Size

      21KB

    • MD5

      3f122d9a0b7a9f1aa8c973d170ee8d55

    • SHA1

      3fb032e1a7a3a9cc5ce0d5f03fbb7f74a063ce39

    • SHA256

      23361735678f37d77510b22306c727a987f84c87143bb0062f3d76413c36fc98

    • SHA512

      25b3db24d20482476e07e29bcee1e231e106d1ec8e36bc390960085595816268ced9c6d392ee21e48c0643801e14c4bb88e1d006fc35467a1abf7b66a423fad4

    • SSDEEP

      384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUEBI:SCIqdH/k1ZVcT194jp4ES

    Score
    7/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      Mydoom/2522b83852588bc0f7f620f9b4fe3a9337b9608be335d3958d190275f333df03.exe

    • Size

      49KB

    • MD5

      d4aae2114968c886660e4cbf1c694160

    • SHA1

      c5b6d1ccc5f238686f3be7bfff44c9b612d74efb

    • SHA256

      2522b83852588bc0f7f620f9b4fe3a9337b9608be335d3958d190275f333df03

    • SHA512

      69d0c95abcb789b5e638e826c0b827634fb076248c659b1d2d62741383a62510d6ad6b1e6c16ea1a2ab7f2ac271ba56958e0f070def4a33c6bcaacba848c8395

    • SSDEEP

      768:nqQ07c92/EyTAYtxqfGNC0klI7C8ycYlI5P194jp49w404LY:n87wc1aGNC0klI7CPpIFa69wAY

    Score
    7/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral8

    • Target

      Mydoom/2af6bc16f25822d6d2f1429bc15f3d47f6c0bcb026ba387249d173fc753919b2.exe

    • Size

      22KB

    • MD5

      44fad0089dd3b0b481f30486646fd3f0

    • SHA1

      54a3e4359bedeba0d8747e2bc7e94ebbd48feef3

    • SHA256

      2af6bc16f25822d6d2f1429bc15f3d47f6c0bcb026ba387249d173fc753919b2

    • SHA512

      7137de8a76aa91bc921a7334dde182eaa786a42bc5dc7369e9265f9226ea52bedf003e8ba707f297d880828daa5f1183233d985cb98e371eb711c2523a1a0acc

    • SSDEEP

      384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUIegaC3:SCIqdH/k1ZVcT194jp4IegaC3

    Score
    7/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral9

    • Target

      Mydoom/3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe

    • Size

      41KB

    • MD5

      3e67d212278e1af5be913d236399fcf6

    • SHA1

      f993125ed4af1de6a551a6e0843a6d124cd46f27

    • SHA256

      3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464

    • SHA512

      f7e6394c9f9fdd6a03c72aaece5b4911cb821680a632f94b622b12d94cff9873d93b2c6604016524bdab4dd6e4b70b532c440f6b296138677be19e078ad23ec7

    • SSDEEP

      768:/eMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09sy:/q5VwWDjDkdTRqHFOn8tIbbeYiuZIFSl

    Score
    7/10
    persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral10

    • Target

      Mydoom/3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5.exe

    • Size

      41KB

    • MD5

      b1f6a4cc592f3c9f7d4b69c02ac74d11

    • SHA1

      db2db17c1d3e2c4f3a45aad9215cc77ed455ffcc

    • SHA256

      3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5

    • SHA512

      66c3d5cb3c9bf13604748853797e4c1a1eae13d52cdf43f16da0b1b180ad0c10102a2935d4d6bd0549f6e48427c0181cbb07f1ee664274727dff0cc61e5075c5

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      Mydoom/493813116f32ad6f455676cd54e32a2167ece845038202614cbb49e126f5afdc.exe

    • Size

      21KB

    • MD5

      fd6deb4cda087d7a60b6b28104fad84b

    • SHA1

      6826e88b55a2794f9ea72c86bb9cfd084fe2aee9

    • SHA256

      493813116f32ad6f455676cd54e32a2167ece845038202614cbb49e126f5afdc

    • SHA512

      afa16663956ffa8d50d7a6622c7cb01d9b01f83c1ef21dfce1eeffc8cc217499e7a78bcea952b59c501caa71b3aaa5b2c144ed30529685efb55266678eb18dc3

    • SSDEEP

      384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzUMO2:SCIqdH/k1ZVcT194jp4N2

    Score
    7/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      Mydoom/4d61a61265cdd942cff973609170529eaf19579b5d17e64deccbd6f6f1fdfa08.exe

    • Size

      29KB

    • MD5

      0d14590170f35263c0e3f0e0e1594720

    • SHA1

      21414e31724eb95408a4031a0c0508b2a12260e7

    • SHA256

      4d61a61265cdd942cff973609170529eaf19579b5d17e64deccbd6f6f1fdfa08

    • SHA512

      76e6fbd04c08b749b46ce1499e15ad58d7bb8d0c20db0a0fae54001f973aaa73e961cf80558c090d31d7f69918562c519c01c2cb441548feca63cea37792aa3c

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/V:AEwVs+0jNDY1qi/qt

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral13

    • Target

      Mydoom/5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe

    • Size

      41KB

    • MD5

      64276638075d3cab665966be7f366682

    • SHA1

      3fb9c599d5dc9188332b4a9c0f1262c07ee24699

    • SHA256

      5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a

    • SHA512

      1bbd7440a14f8651ef4433cdda3a48071024838688f8ff88a0688cf56f28854232446f655731a44d1f02f1e572697e132f06c92dfa170825433154042be02826

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral14

    • Target

      Mydoom/6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c.exe

    • Size

      28KB

    • MD5

      e5128ece1b9916a6df7cd56d66c193c2

    • SHA1

      c99f687b182f3dee71e8434360595832ea431075

    • SHA256

      6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c

    • SHA512

      67b9166f33c78140ce2259df9a7bae92e6cae066b7f54cb0ebdec183ef1ffaf958f6cd24b0bb01e2b6a302fb73e9c5c057554c825e1496ef3b679e77dd7715af

    • SSDEEP

      384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNHS6e:Dv8IRRdsxq1DjJcqfH

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral15

    • Target

      Mydoom/6c3c9af653a28977257ce971ed701b1b893cdf67d5c57baa44a9d76c28675dc3.exe

    • Size

      21KB

    • MD5

      41a7ddd957c89fc7d20b60fbb7526198

    • SHA1

      2b3575ced3fb5227c1b21cb5a5d70de6ee20ac5e

    • SHA256

      6c3c9af653a28977257ce971ed701b1b893cdf67d5c57baa44a9d76c28675dc3

    • SHA512

      c97c733c37423269eefff67c66caf04317dbcfb8dc678cae18b265f9cde57ff0677c93cceaa0cda05e70daa3446d507538f1db9b37a30078568542a8cf67bec5

    • SSDEEP

      384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzULMc4:SCIqdH/k1ZVcT194jp4LMx

    Score
    7/10
    persistenceupx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral16

    • Target

      Mydoom/77186e57b2eeb3ed4b56cfe280d5eeea3155d9502217cda824600bc93d365320.exe

    • Size

      29KB

    • MD5

      4568631011aae49f42e185b46a1a30a5

    • SHA1

      d3e88e07f54ad778b774822bcf283accc22b529b

    • SHA256

      77186e57b2eeb3ed4b56cfe280d5eeea3155d9502217cda824600bc93d365320

    • SHA512

      fc673b7013b9d291258579c18e0466e4e3e6de1fff73900fb3f87ff275aa0064e36620b7774880bbef14ad4e5e968ea46c0ef47484f260468f263cc6d1832cd1

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/p:AEwVs+0jNDY1qi/qh

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      Mydoom/7bca70a81cc9e1067e99e313802a4cc095f79bbc3a1aa86b7b3b9eabf3748e61.exe

    • Size

      29KB

    • MD5

      18e2d2d193f1b5e2fe2cec1f6b4c5c38

    • SHA1

      5c9e2ecd155da2d8822187398d58febd1044a1e4

    • SHA256

      7bca70a81cc9e1067e99e313802a4cc095f79bbc3a1aa86b7b3b9eabf3748e61

    • SHA512

      3a961ff5d823450134acc34fb984bd5105fcf02c65692ee5fc7273c6de9fc64185cc548ea1de6d5622d6985e754943a4b4d235458eb41bef469027e6b11a35ba

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/9:AEwVs+0jNDY1qi/q1

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      Mydoom/8e934dcd46eb57d42712d097deab6ce00ef1ce2db87d03f8d3d8e8c10da7e088.exe

    • Size

      45KB

    • MD5

      3aa484f942ddfeff67d043fafb9877bb

    • SHA1

      966cbc5b018d94b1797ad5d506ca4d3cb639eca7

    • SHA256

      8e934dcd46eb57d42712d097deab6ce00ef1ce2db87d03f8d3d8e8c10da7e088

    • SHA512

      9356aa0648b93558e0e3af85a9d08449f63c4e6675f82feed9b386425fcbcb7e391b2dfbc114055d0d2b779407b40074f7083205b194c0fa460e99ba8b635612

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral19

    • Target

      Mydoom/9a75c8e353df060ec927ada5990402b57764275f2a860d9cf500a661ec3de060.exe

    • Size

      41KB

    • MD5

      cdc7a9e456810fd6d0a5f9129c633c03

    • SHA1

      3fd75d798773bbb29b26a4c9b9c0635ff52fee57

    • SHA256

      9a75c8e353df060ec927ada5990402b57764275f2a860d9cf500a661ec3de060

    • SHA512

      635346ea4d4c29618469e2aac76e12280e89d44b3fc22e1b522608a5c2352337d20745116e85bcf96e592261d5adb460e1bae8ae2a41e27e0a32298567462c11

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral20

    • Target

      Mydoom/9e067453f09c5cbfa4c5a74fe3e70d7d8e66a25057e6c35240dce5a40ec31bf3.exe

    • Size

      28KB

    • MD5

      f64e4d13a57ae222768b792b2c16158d

    • SHA1

      5a0878beb5a8a464f71629f560b8ac12473776e7

    • SHA256

      9e067453f09c5cbfa4c5a74fe3e70d7d8e66a25057e6c35240dce5a40ec31bf3

    • SHA512

      e9bab92bb7df9414f531b579449c72fd911c9cc0e59809cb6105ef8bdd3cc7818e5626ef57159a7362a82e7cdbfbe2a0f58839e0167a696d3217e622143925a1

    • SSDEEP

      384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyN7F57Oz:Dv8IRRdsxq1DjJcqfAJOz

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral21

    • Target

      Mydoom/Mydoom Ransomwares/1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe

    • Size

      127KB

    • MD5

      93a7ed73f2245a1f043b74e724705f54

    • SHA1

      6b97b4cd5d44e607540b841081f68b7755ce59f5

    • SHA256

      1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406

    • SHA512

      ab1d5999d7bdeb0a2d93a7476cbcace92971417d45a7459fbe294ed66d0466f0e121a68fe9ade89c3c71d4afab3b81b94aaaeabc99e6f02f79c307acbf574090

    • SSDEEP

      3072:bhADm5OPINYUsx0Ki6uA9bKHtBdQex7Coy5q5l:bhAcO7xhjuA9bQQzq

    Score
    10/10
    evasionexecutionransomware

    • Disables service(s)

      evasionexecution

    • Renames multiple (228) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Drops desktop.ini file(s)

    behavioral22

    • Target

      Mydoom/Mydoom Ransomwares/1fb613ee3b0e7f96f5dea029aae31b86340b0724e88f84a76b386af84d1cf95c.exe

    • Size

      27KB

    • MD5

      4ae2e5156253fbeed2c6f13a066c98a1

    • SHA1

      db318de72c2cdda1822999441d23b91e933a772b

    • SHA256

      1fb613ee3b0e7f96f5dea029aae31b86340b0724e88f84a76b386af84d1cf95c

    • SHA512

      c00c1c47e4cffaa3078885bbca42e6663bb478ec33b5b742c752412b204af55bf94008868264d0b03279339017732330e64c52d3b20f55e347194f65f2147be2

    • SSDEEP

      384:XLNAZPBVp/L9Z1oQEDQVbfANpC78rMNAtpDkjvr+jfXNIRXrrahrBDBkHqd7gasb:XCZ5jz9YQEMb4KN2ywrFuHeJsyO

    Score
    6/10

    • Drops desktop.ini file(s)

    behavioral23

    • Target

      Mydoom/Mydoom Ransomwares/5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe

    • Size

      100KB

    • MD5

      7fdd3bf8886199e8336f95c88bcaa49a

    • SHA1

      77e2019093379de4d5de07dbcf5893831c9bb7ec

    • SHA256

      5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc

    • SHA512

      9d774eca21fb33f26991cf20f0f6a2f0bce56aa4cc3d17fd769e0bb767ca400cd5c8dd64bb62db23bf5bc112b91b1a26db7bf2f9d85993cb990be5113e527a40

    • SSDEEP

      1536:1zmSA404oATJVPHEMXMxa6CO3/k/hdXVyczH+95DfFFjfuEnm:1zxEYsZaLhdlo95DfFFjfuCm

    Score
    10/10
    discoveryevasionexecutionpersistenceransomware
    behavioral24

    • Target

      Mydoom/Mydoom Ransomwares/84ee7e5c055fd25204ca4969940292b03da9d45b5048cbb7f7ba8528b88a2859.exe

    • Size

      492KB

    • MD5

      63acb0fc42adddeefed36db5b1ad61bb

    • SHA1

      7ffe0a6043397f55fd794971cac56a79fc564c0a

    • SHA256

      84ee7e5c055fd25204ca4969940292b03da9d45b5048cbb7f7ba8528b88a2859

    • SHA512

      91787551107a0c013b3c5c35b9cb51f5880403a9f8dc3370f3392aba8b37fe210eda82a8bbd474f1d6ad73e969a8d6c2962278a9f0d595c8842269c27142c4c0

    • SSDEEP

      12288:rDA4+Z/YWwIQx+E6uI4+Z/YWvt8OW/9mZ4+QwQaNdmrlTT6zncVUJ7vn:wo9UPgTT6DN

    Score
    1/10
    behavioral25

    • Target

      Mydoom/Mydoom Ransomwares/cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe

    • Size

      1.9MB

    • MD5

      f09a781eeb97acf68c8c1783e76c29e6

    • SHA1

      ec2b7eebfcbf263424ae194817060eac44c380c7

    • SHA256

      cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64

    • SHA512

      972fc4759d344c3eab157fe8bb345596592895ab9d27546961a93047142e8236dd876f3449a9f60dd5eb93a54035dcd3d7c8d70d468e3233341bfa4d674cfa64

    • SSDEEP

      49152:jL7kITp6hTJEfHdQ2+Sd3KmkZt1EOS09VE8zbRfc7id4oPg:YITpmafy2+S5KmkZt1EOSP8zdfc7i5P

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral26

    • Target

      Mydoom/Mydoom Ransomwares/dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe

    • Size

      1.8MB

    • MD5

      057aad993a3ef50f6b3ca2db37cb928a

    • SHA1

      a57592be641738c86c85308ef68148181249bc0b

    • SHA256

      dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876

    • SHA512

      87c89027d60f80e99c526584fa093620b3f099151170362424ad78f5e4d7184bd9f2d627ec8463ca202127835f435dd4f85bf2b0d9351593c688855f0bbaffbb

    • SSDEEP

      49152:BY/3BNLViG5jQWArXncSxhBfV7xLE1t+XgWJz5qtAj6R:BwgG5MWMX7h8+Uw

    Score
    10/10
    satancryptorzebrocybackdoorransomwarespywarestealertrojanupx

    • SatanCryptor

      Golang ransomware first seen in early 2020.

      ransomwaresatancryptor

    • Zebrocy

      Zebrocy is a backdoor created by Sofacy threat group and has multiple variants developed in different languages.

      trojanbackdoorzebrocy

    • Zebrocy Go Variant

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral27

    • Target

      Mydoom/a9a89ed0d139fbc436794f5d3a8e58c547247039d8c86767b1e2f2bce40e390f.exe

    • Size

      41KB

    • MD5

      ec9e58951bf3e0ff91c5f86cae637dc4

    • SHA1

      8f2e5fce00e3f5265deabaa71a9243d1b936395c

    • SHA256

      a9a89ed0d139fbc436794f5d3a8e58c547247039d8c86767b1e2f2bce40e390f

    • SHA512

      466d31863ee8d7765b436f75588da017b095ac66f86deb8dff41fc2349de456da8dbb59bec863c4a754fc68a210ad8e1c578d968312c9ea0595d4aab7fb2f0a5

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral28

    • Target

      Mydoom/b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe

    • Size

      41KB

    • MD5

      2f0ded84c37387024cd7145bd7e64e88

    • SHA1

      61803770a6bdf2aafb3f7efcc3c135d63ddd55b5

    • SHA256

      b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695

    • SHA512

      efe39f1abf0c1ae5662c95bdcc7022e5982069e7656860356643eabf4a567639136125294dfd3ecbde72e0853e886a88b5d085d8c757c7b63f67cb000b510848

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/:AEwVs+0jNDY1qi/q

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral29

    • Target

      Mydoom/c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe

    • Size

      856KB

    • MD5

      733766ff5495f04d82744291993eb69e

    • SHA1

      2830778313fd7fccc6c8129d419b1757368078fd

    • SHA256

      c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef

    • SHA512

      cf3bf548e743894888ba3ea191a289f09d9f36215e1306aa21e61f0ea81473eec6df01a6e7f05f9251ecb9cc71c654934a53d4916c4152bf8fa4a95119e98cf2

    • SSDEEP

      12288:0zqKbHTadreUv6e2faqsW8lEsbjwepi8K2cE4b5wxH5/uek6JA6QfmpFiMtMv7u3:yPaFnCec8vj1p7pc5bQZ/uesmoqt7jF

    Score
    8/10
    bootkitpersistenceupx

    • Sets DLL path for service in the registry

      persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral30

    • Target

      Mydoom/c45a330cf80c33977658649596d4867301e928381c5fc37ec3edabfad2251324.exe

    • Size

      29KB

    • MD5

      5b4833161897a50ab4688e2990d1d24b

    • SHA1

      0a04dd46bca64169511b4bcdc8ea36eb8ad55012

    • SHA256

      c45a330cf80c33977658649596d4867301e928381c5fc37ec3edabfad2251324

    • SHA512

      df87dacc161a583dbc060ddc60868476ba5a864021644da643475a93805229a633eb8f0ade738f2512e05b7ec3c8647d877bc4658beb475bd6b0347568caaf5e

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/l:AEwVs+0jNDY1qi/qN

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral31

    • Target

      Mydoom/d42fc4dabd9a9e74156d1a856cb542ed2e0796d2d7c6b976c0ac5421a87f9806.exe

    • Size

      29KB

    • MD5

      c4074b5cca1b0e41aa22b8d090ccfd5f

    • SHA1

      8a90f2c08d98c3803003c41147dfdaafa5d31039

    • SHA256

      d42fc4dabd9a9e74156d1a856cb542ed2e0796d2d7c6b976c0ac5421a87f9806

    • SHA512

      b4068d61d348ace4f9712e975b36e5077a34d93566b1ff46ba6933916bfb18fb506ee30b5feaa49a3c714a4636ff1868d499061ea1ec7b41c4fe2c01a34c8e42

    • SSDEEP

      768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/qg:AEwVs+0jNDY1qi/qig

    Score
    7/10
    persistenceupx

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

24
T1547

Registry Run Keys / Startup Folder

23
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

24
T1547

Registry Run Keys / Startup Folder

23
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Defense Evasion

Modify Registry

27
T1112

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

File and Directory Permissions Modification

1
T1222

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

6
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

2
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Service Stop

2
T1489

Resource Development

Reconnaissance

Tasks

static1

upx
Score
7/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

persistenceupx
Score
8/10

behavioral4

dcratinfostealerrat
Score
10/10

behavioral5

persistenceupx
Score
7/10

behavioral6

persistenceupx
Score
7/10

behavioral7

persistenceupx
Score
7/10

behavioral8

persistenceupx
Score
7/10

behavioral9

persistenceupx
Score
7/10

behavioral10

persistence
Score
7/10

behavioral11

persistenceupx
Score
7/10

behavioral12

persistenceupx
Score
7/10

behavioral13

persistenceupx
Score
7/10

behavioral14

persistenceupx
Score
7/10

behavioral15

persistenceupx
Score
7/10

behavioral16

persistenceupx
Score
7/10

behavioral17

persistenceupx
Score
7/10

behavioral18

persistenceupx
Score
7/10

behavioral19

persistenceupx
Score
7/10

behavioral20

persistenceupx
Score
7/10

behavioral21

persistenceupx
Score
7/10

behavioral22

evasionexecutionransomware
Score
10/10

behavioral23

Score
6/10

behavioral24

discoveryevasionexecutionpersistenceransomware
Score
10/10

behavioral25

Score
1/10

behavioral26

upx
Score
7/10

behavioral27

satancryptorzebrocybackdoorransomwarespywarestealertrojanupx
Score
10/10

behavioral28

persistenceupx
Score
7/10

behavioral29

persistenceupx
Score
7/10

behavioral30

bootkitpersistenceupx
Score
8/10

behavioral31

persistenceupx
Score
7/10

behavioral32

persistenceupx
Score
7/10