8f78806e212e18346b63aebddef9d4ffdc15e12d6c6485b73353989f382acb88

Analysis

max time kernel
99s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f-mydoom.exe
Size

111KB
MD5

91800f7d2ca85deedba2735c8b4505ce
SHA1

92fe08cb0213e0e07fdd0382da0178834ef5e401
SHA256

e98dccc92e1733f8736678d82b3d1a8c6388b8cb1e42a5083d113cf75fb0577d
SHA512

89359ccbe64ee1fec2ac7446b3022cd38e2316507b1a938fbf5a3171c8b43333dd6b04b1faa597dbe6e20fd243056798336805405bedfb761e9d4ee649109a40
SSDEEP

3072:eL//liK0SY+3CPzEWrfxCuXhcxM7uu2hFgzp:G//liK0SY+3CP2uXKar2h2

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops file in Windows directory 1 IoCs

Processes:

f-mydoom.exe

description ioc process

File opened for modification C:\Windows\f-mydoom.log f-mydoom.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

f-mydoom.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f-mydoom.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f-mydoom.exe

pid process

5188 f-mydoom.exe
5188 f-mydoom.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f-mydoom.exe

description pid process

Token: SeDebugPrivilege 5188 f-mydoom.exe

description	ioc	process
File opened for modification	C:\Windows\f-mydoom.log	f-mydoom.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f-mydoom.exe

pid	process
5188	f-mydoom.exe
5188	f-mydoom.exe

description	pid	process
Token: SeDebugPrivilege	5188	f-mydoom.exe

C:\Users\Admin\AppData\Local\Temp\f-mydoom.exe
"C:\Users\Admin\AppData\Local\Temp\f-mydoom.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads