Overview
overview
10Static
static
7Mydoom/00b...f7.exe
windows11-21h2-x64
1Mydoom/055...81.exe
windows11-21h2-x64
Mydoom/0b7...c5.exe
windows11-21h2-x64
8Mydoom/0d5...64.exe
windows11-21h2-x64
10Mydoom/176...9c.exe
windows11-21h2-x64
7Mydoom/1fe...81.exe
windows11-21h2-x64
7Mydoom/233...98.exe
windows11-21h2-x64
7Mydoom/252...03.exe
windows11-21h2-x64
7Mydoom/2af...b2.exe
windows11-21h2-x64
7Mydoom/3d9...64.exe
windows11-21h2-x64
7Mydoom/3db...e5.exe
windows11-21h2-x64
7Mydoom/493...dc.exe
windows11-21h2-x64
7Mydoom/4d6...08.exe
windows11-21h2-x64
7Mydoom/564...2a.exe
windows11-21h2-x64
7Mydoom/6c3...4c.exe
windows11-21h2-x64
7Mydoom/6c3...c3.exe
windows11-21h2-x64
7Mydoom/771...20.exe
windows11-21h2-x64
7Mydoom/7bc...61.exe
windows11-21h2-x64
7Mydoom/8e9...88.exe
windows11-21h2-x64
7Mydoom/9a7...60.exe
windows11-21h2-x64
7Mydoom/9e0...f3.exe
windows11-21h2-x64
7Mydoom/Myd...06.exe
windows11-21h2-x64
10Mydoom/Myd...5c.exe
windows11-21h2-x64
6Mydoom/Myd...fc.exe
windows11-21h2-x64
10Mydoom/Myd...59.exe
windows11-21h2-x64
1Mydoom/Myd...64.exe
windows11-21h2-x64
7Mydoom/Myd...76.exe
windows11-21h2-x64
10Mydoom/a9a...0f.exe
windows11-21h2-x64
7Mydoom/b4a...95.exe
windows11-21h2-x64
7Mydoom/c03...ef.exe
windows11-21h2-x64
8Mydoom/c45...24.exe
windows11-21h2-x64
7Mydoom/d42...06.exe
windows11-21h2-x64
7Analysis
-
max time kernel
28s -
max time network
36s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/06/2024, 17:27
Behavioral task
behavioral1
Sample
Mydoom/00b9b6cf27deeda8de99d1719ef724808afa92080026df8dd17159be8ea420f7.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
Mydoom/05500734fe07ac2b5bc89aa12b090203c4b74851cb0d62bd388f27ec6d6caa81.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
Mydoom/0b75e2fadffc45dff940e58f5b6f8d99832426bb880f432f98d853308b29c9c5.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
Mydoom/0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
Mydoom/1760c5727e5568d3b18a1cbf0d50c311613699af8233c96fb3eee197f438ce9c.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
Mydoom/1fe99fb7c527a90826896e695f23e712375358df3c7aa9163af6b96d872a9f81.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
Mydoom/23361735678f37d77510b22306c727a987f84c87143bb0062f3d76413c36fc98.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
Mydoom/2522b83852588bc0f7f620f9b4fe3a9337b9608be335d3958d190275f333df03.exe
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
Mydoom/2af6bc16f25822d6d2f1429bc15f3d47f6c0bcb026ba387249d173fc753919b2.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
Mydoom/3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
Mydoom/3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
Mydoom/493813116f32ad6f455676cd54e32a2167ece845038202614cbb49e126f5afdc.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
Mydoom/4d61a61265cdd942cff973609170529eaf19579b5d17e64deccbd6f6f1fdfa08.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
Mydoom/5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
Mydoom/6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
Mydoom/6c3c9af653a28977257ce971ed701b1b893cdf67d5c57baa44a9d76c28675dc3.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
Mydoom/77186e57b2eeb3ed4b56cfe280d5eeea3155d9502217cda824600bc93d365320.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
Mydoom/7bca70a81cc9e1067e99e313802a4cc095f79bbc3a1aa86b7b3b9eabf3748e61.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
Mydoom/8e934dcd46eb57d42712d097deab6ce00ef1ce2db87d03f8d3d8e8c10da7e088.exe
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
Mydoom/9a75c8e353df060ec927ada5990402b57764275f2a860d9cf500a661ec3de060.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral21
Sample
Mydoom/9e067453f09c5cbfa4c5a74fe3e70d7d8e66a25057e6c35240dce5a40ec31bf3.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral22
Sample
Mydoom/Mydoom Ransomwares/1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral23
Sample
Mydoom/Mydoom Ransomwares/1fb613ee3b0e7f96f5dea029aae31b86340b0724e88f84a76b386af84d1cf95c.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral24
Sample
Mydoom/Mydoom Ransomwares/5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral25
Sample
Mydoom/Mydoom Ransomwares/84ee7e5c055fd25204ca4969940292b03da9d45b5048cbb7f7ba8528b88a2859.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral26
Sample
Mydoom/Mydoom Ransomwares/cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral27
Sample
Mydoom/Mydoom Ransomwares/dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral28
Sample
Mydoom/a9a89ed0d139fbc436794f5d3a8e58c547247039d8c86767b1e2f2bce40e390f.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral29
Sample
Mydoom/b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe
Resource
win11-20240426-en
windows11-21h2-x64
Behavioral task
behavioral30
Sample
Mydoom/c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral31
Sample
Mydoom/c45a330cf80c33977658649596d4867301e928381c5fc37ec3edabfad2251324.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral32
Sample
Mydoom/d42fc4dabd9a9e74156d1a856cb542ed2e0796d2d7c6b976c0ac5421a87f9806.exe
Resource
win11-20240426-en
windows11-21h2-x64
General
-
Target
Mydoom/0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
-
Size
9.4MB
-
MD5
813b749967045532f86e6442447bcd8b
-
SHA1
8d0615e7f7ba672a3fc94c05a9451f9d08797af7
-
SHA256
0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464
-
SHA512
47c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877
-
SSDEEP
24576:GYx7SFGwWG8/Ad5kybgeK8uQY2ZqR7NlaDbTxnVhv2MMLdGIhJ:IFFbK8q2ZhDbTNv2MuV
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
resource yara_rule behavioral4/memory/3824-6-0x0000000000400000-0x0000000000538000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
pid Process 1480 OfficeClickToRun.exe 4652 OfficeClickToRun.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs
pid Process 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4976 set thread context of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 1480 set thread context of 4652 1480 OfficeClickToRun.exe 112 -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\en-US\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe File created C:\Program Files\Windows NT\Accessories\en-US\8b2be0cc7bfe8939c8722c1b6ee8c4ef4a8ee2ce 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe File created C:\Program Files\Microsoft Office 15\ClientX64\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe File opened for modification C:\Program Files\Microsoft Office\dllhost.exe 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe File created C:\Program Files\Microsoft Office\5940a34987c99120d96dace90a3f93f329dcad63 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe File created C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe File created C:\Program Files\Microsoft Office\dllhost.exe 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\InputMethod\CHT\OfficeClickToRun.exe 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe File created C:\Windows\InputMethod\CHT\e6c9b481da804f07baff8eff543b0a1441069b5d 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2784 4976 WerFault.exe 75 1992 1480 WerFault.exe 102 -
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1192 schtasks.exe 916 schtasks.exe 4620 schtasks.exe 1588 schtasks.exe 1292 schtasks.exe 2060 schtasks.exe -
Delays execution with timeout.exe 6 IoCs
pid Process 3124 timeout.exe 3924 timeout.exe 4724 timeout.exe 2228 timeout.exe 3040 timeout.exe 4008 timeout.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 1480 OfficeClickToRun.exe 4652 OfficeClickToRun.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe Token: SeDebugPrivilege 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe Token: SeDebugPrivilege 1480 OfficeClickToRun.exe Token: SeDebugPrivilege 4652 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4976 wrote to memory of 3968 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 76 PID 4976 wrote to memory of 3968 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 76 PID 4976 wrote to memory of 3968 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 76 PID 3968 wrote to memory of 2228 3968 cmd.exe 78 PID 3968 wrote to memory of 2228 3968 cmd.exe 78 PID 3968 wrote to memory of 2228 3968 cmd.exe 78 PID 4976 wrote to memory of 920 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 79 PID 4976 wrote to memory of 920 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 79 PID 4976 wrote to memory of 920 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 79 PID 920 wrote to memory of 3040 920 cmd.exe 81 PID 920 wrote to memory of 3040 920 cmd.exe 81 PID 920 wrote to memory of 3040 920 cmd.exe 81 PID 4976 wrote to memory of 1216 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 82 PID 4976 wrote to memory of 1216 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 82 PID 4976 wrote to memory of 1216 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 82 PID 1216 wrote to memory of 4008 1216 cmd.exe 84 PID 1216 wrote to memory of 4008 1216 cmd.exe 84 PID 1216 wrote to memory of 4008 1216 cmd.exe 84 PID 4976 wrote to memory of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 4976 wrote to memory of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 4976 wrote to memory of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 4976 wrote to memory of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 4976 wrote to memory of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 4976 wrote to memory of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 4976 wrote to memory of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 4976 wrote to memory of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 4976 wrote to memory of 3824 4976 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 85 PID 3824 wrote to memory of 916 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 90 PID 3824 wrote to memory of 916 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 90 PID 3824 wrote to memory of 916 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 90 PID 3824 wrote to memory of 4620 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 92 PID 3824 wrote to memory of 4620 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 92 PID 3824 wrote to memory of 4620 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 92 PID 3824 wrote to memory of 1588 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 94 PID 3824 wrote to memory of 1588 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 94 PID 3824 wrote to memory of 1588 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 94 PID 3824 wrote to memory of 1292 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 96 PID 3824 wrote to memory of 1292 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 96 PID 3824 wrote to memory of 1292 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 96 PID 3824 wrote to memory of 2060 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 98 PID 3824 wrote to memory of 2060 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 98 PID 3824 wrote to memory of 2060 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 98 PID 3824 wrote to memory of 1192 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 100 PID 3824 wrote to memory of 1192 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 100 PID 3824 wrote to memory of 1192 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 100 PID 3824 wrote to memory of 1480 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 102 PID 3824 wrote to memory of 1480 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 102 PID 3824 wrote to memory of 1480 3824 0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe 102 PID 1480 wrote to memory of 4540 1480 OfficeClickToRun.exe 103 PID 1480 wrote to memory of 4540 1480 OfficeClickToRun.exe 103 PID 1480 wrote to memory of 4540 1480 OfficeClickToRun.exe 103 PID 4540 wrote to memory of 3124 4540 cmd.exe 105 PID 4540 wrote to memory of 3124 4540 cmd.exe 105 PID 4540 wrote to memory of 3124 4540 cmd.exe 105 PID 1480 wrote to memory of 1164 1480 OfficeClickToRun.exe 106 PID 1480 wrote to memory of 1164 1480 OfficeClickToRun.exe 106 PID 1480 wrote to memory of 1164 1480 OfficeClickToRun.exe 106 PID 1164 wrote to memory of 3924 1164 cmd.exe 108 PID 1164 wrote to memory of 3924 1164 cmd.exe 108 PID 1164 wrote to memory of 3924 1164 cmd.exe 108 PID 1480 wrote to memory of 3912 1480 OfficeClickToRun.exe 109 PID 1480 wrote to memory of 3912 1480 OfficeClickToRun.exe 109 PID 1480 wrote to memory of 3912 1480 OfficeClickToRun.exe 109 PID 3912 wrote to memory of 4724 3912 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mydoom\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"C:\Users\Admin\AppData\Local\Temp\Mydoom\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2228
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:3040
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4008
-
-
-
C:\Users\Admin\AppData\Local\Temp\Mydoom\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"C:\Users\Admin\AppData\Local\Temp\Mydoom\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe"2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:916
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4620
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Documents and Settings\dllhost.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1588
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1292
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\spoolsv.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2060
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\OfficeClickToRun.exe'" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1192
-
-
C:\Windows\InputMethod\CHT\OfficeClickToRun.exe"C:\Windows\InputMethod\CHT\OfficeClickToRun.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:3124
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:3924
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 14⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
PID:4724
-
-
-
C:\Windows\InputMethod\CHT\OfficeClickToRun.exe"C:\Windows\InputMethod\CHT\OfficeClickToRun.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 17524⤵
- Program crash
PID:1992
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 11962⤵
- Program crash
PID:2784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4976 -ip 49761⤵PID:4304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1480 -ip 14801⤵PID:1704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.4MB
MD5813b749967045532f86e6442447bcd8b
SHA18d0615e7f7ba672a3fc94c05a9451f9d08797af7
SHA2560d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464
SHA51247c16f403ab33ebb9e59c7c3a053dc29d0d654174d2be9153966ad9fc873e641f34ab44c7e38fb4c6fd376b384d4e1da0dacafb384e9abb1c7eb92cb32533877